ADM103 EN Col23

ADM103 System Administration II of SAP S/4HANA and SAP Business Suite . . PARTICIPANT HANDBOOK INSTRUCTOR-LED TRAINING . Course Version: 23 Course Duration: 4 Day(s) Material Number: 50161776 SAP Copyrights, Trademarks and Disclaimers © 2023 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see https:// www.sap.com/corporate/en/legal/copyright.html for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials may have been machine translated and may contain grammatical errors or inaccuracies. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. This information is displayed in the instructor’s presentation Demonstration Procedure Warning or Caution Hint Related or Additional Information Facilitated Discussion User interface control Example text Window title Example text © Copyright. All rights reserved. iii iv © Copyright. All rights reserved. Contents vii Course Overview 1 Unit 1: 3 Administrating Technology Components for HTTP-based Communication 7 Lesson: Describing Scenarios for HTTP-based Communication with ABAP based SAP Systems Lesson: Configuring the Internet Communication Manager (ICM) 15 31 41 61 71 Lesson: Using the Internet Communication Framework (ICF) Lesson: Maintaining UI-related Software Components Lesson: Configuring SAP Gateway Lesson: Describing Web Services in AS ABAP Lesson: Installing and Configuring SAP Web Dispatcher 107 Unit 2: 109 115 129 Lesson: Setting Up Communication with SAPconnect Lesson: Setting Up Communication with Simple Mail Transfer Protocol (SMTP) Unit 3: 131 143 Unit 4: Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Lesson: Describing the Basics of Extended Computer Aided Test Tool (eCATT) Lesson: Configuring the System Landscape for eCATT Lesson: Executing eCATT Test Scripts 189 199 Unit 6: 215 225 241 260 Configuring Central User Administration (CUA) Lesson: Understanding the Basic Idea of CUA Lesson: Setting Up a CUA Lesson: Performing User Administration with CUA 183 213 Installing an Enqueue Replication Server (ERS) Lesson: Managing an Enqueue Replication Server (ERS) 145 151 169 181 Setting Up SAPconnect and SMTP Dealing with Aspects of Globalization Lesson: Discussing Aspects of Globalization Lesson: Importing Additional Languages into an SAP System Lesson: Addendum: Introducing Unicode Glossary © Copyright. All rights reserved. v vi © Copyright. All rights reserved. Course Overview TARGET AUDIENCE This course is intended for the following audiences: ● Technology Consultant ● System Administrator © Copyright. All rights reserved. vii viii © Copyright. All rights reserved. UNIT 1 Administrating Technology Components for HTTP-based Communication Lesson 1 Describing Scenarios for HTTP-based Communication with ABAP based SAP Systems 3 Lesson 2 Configuring the Internet Communication Manager (ICM) 7 Lesson 3 Using the Internet Communication Framework (ICF) 15 Lesson 4 Maintaining UI-related Software Components 31 Lesson 5 Configuring SAP Gateway 41 Lesson 6 Describing Web Services in AS ABAP 61 Lesson 7 Installing and Configuring SAP Web Dispatcher 71 UNIT OBJECTIVES ● List options for HTTP-based communication with ABAP based SAP systems ● Outline the system landscape used in this unit ● Describe the implementation of the ICM ● Illustrate monitoring options for the ICM process ● Describe the configuration of the ICM process for the use of SSL ● Explain the importance of the ICF for handling HTTP requests ● Describe what constitutes an ICF service © Copyright. All rights reserved. 1 Unit 1: Administrating Technology Components for HTTP-based Communication ● Illustrate the idea of the ICF recorder ● Perform changes to SAP GUI for HTML settings ● List prerequisites for the use of SAP integrated ITS ● Perform an update to the latest Unified Rendering patch ● Perform an update to the latest SAPUI5 patch ● Explain OData ● Explain SAP Gateway ● Perform basic configuration steps for SAP Gateway ● Enable SAP Gateway soft state ● Configure SAP Gateway routing ● Name a use case for Web Services ● Explain the Web Service paradigm ● 2 List the steps to create a Web Service from a function module using the inside-out approach ● List options to perform binding in the production environment ● Describe basic functions of SAP Web Dispatcher ● Perform an installation of SAP Web Dispatcher ● Use the Web Administration interface ● Perform the configuration of SSL ● Perform the configuration of load balancing ● Describe additional functions of SAP Web Dispatcher © Copyright. All rights reserved. Unit 1 Lesson 1 Describing Scenarios for HTTP-based Communication with ABAP based SAP Systems LESSON OBJECTIVES After completing this lesson, you will be able to: ● List options for HTTP-based communication with ABAP based SAP systems ● Outline the system landscape used in this unit Introduction SAP provides a number of ways in which applications can be created for intranet or internet users. This lesson introduces the technologies on which these applications are based and explains the differences between them. Changes during the Various Releases As of SAP BASIS 3.1G: SAP Internet Transaction Server SAP delivered the first version of the SAP Internet Transaction Server (SAP ITS) with SAP R/3 3.1G in 1996. SAP ITS is a software that acts as a gateway between a Web server and an SAP system. t switches between general Internet protocols and formats (such as HTTP, HTTPS, and HTML) and those that are specific to the SAP system (such as DIAG, RFC, and dynpros (screens)). First, the SAP ITS was implemented as standalone software, that was used “in front of” an ABAP-based SAP system (see the following figure). This “standalone” ITS existed as of Release 3.1G up to and including 6.20 (upwardly and downwardly compatible with SAP systems up to and including AS ABAP 6.40). As of AS ABAP 6.40, the new ITS is integrated in AS ABAP on all platforms with a simplified architecture. © Copyright. All rights reserved. 3 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 1: System Landscape with Standalone ITS Web applications that were developed specifically for SAP ITS are called Internet Application Components (IACs). These include Employee Self Services (ESS) that are based on SAP R/3 and SAP R/3 Enterprise or the SAP Online Store. The SAP GUI for HTML also uses the SAP ITS. SAP ITS functionality (either standalone or integrated) is therefore required for existing Web applications (in IAC technology) and the SAP GUI for HTML, regardless of the AS ABAP release of the corresponding SAP system. As of SAP BASIS 6.10: Internet Communication Manager Based on the highly-scalable infrastructure, as of SAP Web AS 6.10 new technologies are used to process HTTP requests (and other protocols) directly from the internet or to send HTTP client requests to the internet. To achieve this, the SAP Kernel has been extended with the Internet Communication Manager (ICM) process. The ICM process forwards requests to the Internet Communication Framework (ICF), which supports numerous programming models. This is how the SAP CRM, SAP BW, and SAP PI software components use this infrastructure. A programming model for such applications (among others) are the Business Server Pages (BSPs). As of SAP BASIS 7.00: Web Dynpro ABAP Web Dynpro is the preferred programming model for stateful desktop application Web interfaces in SAP Business Suite systems. It provides a clear distinction between the user interface (UI) and the business logic. It also provides functions that are not usually available as part of the standard tools for developing professional user interfaces. These include functions for checking entries, providing input help, supporting multiple languages, and handling errors comfortably, as well as caching mechanisms that ensure fast response times and are therefore especially useful for interactive user interfaces. The Web Dynpro ABAP programming model is available as of AS ABAP 7.00. 4 © Copyright. All rights reserved. Lesson: Describing Scenarios for HTTP-based Communication with ABAP based SAP Systems Note: For more information about Web Dynpro technology, see the SAP Community (successor of SAP Community Network) at https://community.sap.com/topics/ web-dynpro-abap-floorplan. As of SAP BASIS 7.00: SAPUI5 and OData SAPUI5 is the SAP implementation of the open HTML5 standard. The ICF can process Web pages based on HTML5 (for this, the plug-in UI_INFRA or the software component SAP_UI needs to be installed on the SAP system). OData is an open standard that can be used by any software or device that communicates using the HTTP(S) protocol. It can parse and construct an XML document. OData can also be described as ODBC for the Web. SAP Gateway is the implementation of the OData standard on an AS ABAP-based SAP system (available for AS ABAP 7.00 onwards). As of AS ABAP 7.40: SAP Fiori SAP Fiori is a collection of apps, which are created based on the rules of the SAP User Experience and are therefore representing them. The majority of SAP Fiori apps are web-apps built using SAPUI5 as UI technology. SAPUI5 in turn is based on HTML5 and can be consumed on every device using a Web browser. For developing SAPUI5 applications, SAP offers SAP Business Application Studio (running on SAP Business Technology Platform) and SAP Fiori tools - Extension Pack for Visual Studio Code. As of AS ABAP 7.40 SAP Fiori Launchpad – which is the entry point to SAP Fiori apps on mobile or desktop devices – is part of every SAP AS ABAP. The System Landscape in this Class The following figure shows the system landscape for this training. Note: The SAP Web Dispatcher on host fsXhost (on this figure, “X” is to be replaced by either “q” or “p”) does not already exist but will be installed during this unit. © Copyright. All rights reserved. 5 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 2: (To-Be) Training System Landscape for HTTP Communication in this Class Summary The following figure finally compares the user interfaces and the communication interfaces of SAP R/3 with the ones of SAP S/4HANA Server and shows which release of software component SAP BASIS has introduced the changes. Figure 3: Comparison SAP R/3 vs. SAP ECC / S/4HANA Server LESSON SUMMARY You should now be able to: 6 ● List options for HTTP-based communication with ABAP based SAP systems ● Outline the system landscape used in this unit © Copyright. All rights reserved. Unit 1 Lesson 2 Configuring the Internet Communication Manager (ICM) LESSON OVERVIEW In this lesson, you will learn about the Internet Communication Manager (ICM) process and its administration options. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Describe the implementation of the ICM ● Illustrate monitoring options for the ICM process ● Describe the configuration of the ICM process for the use of SSL Architecture of the ICM Process Figure 4: Example for a System Landscape The figure above shows an example of a system landscape in which Web browsers from the internet and intranet are connected with an AS ABAP (in this case, distributed across a number of servers). Important features are: ● Support for standard Web protocols such as HTTP, HTTPS, WebDAV, SOAP, and SMTP ● Display of standard Web formats such as HTML, XML, OData and XSLT © Copyright. All rights reserved. 7 Unit 1: Administrating Technology Components for HTTP-based Communication ● Complete integration into the SAP environment (development environment, user administration, authorization concept, system monitoring, and communication protocols) The AS ABAP can act both as a Web server (server role) and as a Web client (client role). The server role, in which the AS ABAP can accept and process HTTP(S) requests from any Web client (such as a Web browser) and send back an HTTP(S) response, is what we will discuss in this lesson. Within a work process, the Internet Communication Framework (ICF) provides the environment for handling HTTP(S) requests. The ICF is the bridge between the C kernel of the SAP system and the application program created in ABAP. Work processes can directly generate Web-compatible content in a way that can be forwarded to a Web browser using the ICM. One way of creating content of this type is to use Web Dynpro applications that are developed in the SAP system using the ABAP Workbench (for example transaction SE80). Figure 5: Internal Structure of the ICM Process From a technical point of view, the ICM is a separate process (icman at operating system level) that is started and monitored by the ABAP dispatcher. Its task is to ensure that the SAP system can communicate with the outside world (using HTTP, HTTPS, and SMTP). In the server role, it can process requests from the internet that arrive with URLs with the server/ port combination for which the ICM is listening. The ICM then calls the appropriate local handler, depending on the URL. The ICM process uses threads to process the created workload in parallel. The components of the ICM are: ● ● 8 Thread Control: This thread accepts the incoming TCP/IP requests and creates (or raises) a worker thread from the thread pool to process the request. Worker Thread: This thread handles requests and responses for a connection. A worker thread contains an I/O handler for the network input and output, and various plug-ins for the different supported protocols. © Copyright. All rights reserved. Lesson: Configuring the Internet Communication Manager (ICM) ● ● ● ● Watchdog: A worker thread usually waits for a response (whether it is client or server); if a timeout occurs, the watchdog takes over the task of waiting for the response. The worker thread can then be used for other requests. Signal Handler: This thread processes signals that are sent from the operating system or another process (such as the ABAP dispatcher). Connection Information: Table with information for each existing network connection. Memory Pipes: These memory-based communication objects allow data transfer between the ICM and the ABAP work processes. The requests from the ICM must also wait in the dialog queue of the ABAP dispatcher. When a free dialog work process is found, ICM threads and dialog work processes communicate directly with each other. The ICM uses plug-ins to implement the different communication protocols. Once the AS ABAP has been installed, the following protocols can be used immediately: ● HTTP ● HTTPS ● SMTP Figure 6: Internet Server Cache (ISC) A part of the ICM that is important for performance is the Internet Server Cache (ISC), which stores HTTP(S) objects before they are sent to the Web browser. The next request can then be made directly from the ISC, provided that the expiry time has not elapsed. This avoids branching to the ABAP work process, which can accelerate the access considerably. Some features of the ISC are: ● Two-level hierarchy: When objects are stored, the advantages of both the high speed of main memory (memory cache) and the storage capacity of hard disks (disk cache) are used. © Copyright. All rights reserved. 9 Unit 1: Administrating Technology Components for HTTP-based Communication ● ● ● ● Dynamic Caching: Traditional products are based on HTTP proxies and usually offer caching only of static content, such as images. The ISC can also cache dynamic content such as JSPs or BSPs. Active Caching: The application has full control over ensuring that the objects in the cache are up to date. UFO Caching: Invalid requests (“UnFound Objects”) that lead to error situations in the application server or the database are directly rejected, so that the system is protected against invalid or malignant requests. Browser-dependent Caching: The developer of a BSP can define whether his or her application is dependent on the browser type. If this indicator is set, the ISC uses the data in the cache only for requests from the same browser type. The ISC is configured using the profile parameter icm/HTTP/server_cache* and can be monitored and invalidated from the SAP system. Start Procedure and ICM Monitoring Figure 7: Starting the ICM The profile parameter rdisp/start_icman controls whether an ICM process is also started when an application server is started. If no value is specified, the default setting true applies. You configure the ICM using profile parameters (most of which begin with icm/). The settings for icm/server_port_<xx> are of particular importance. These settings determine the port used for each protocol, as well as other attributes of the protocol (such as timeout). Note: SAP Note2560792 – ABAP instances in SAP S/4HANA always start with an icman process states that as of Kernel 7.72, the AS ABAP instance always starts with an ICM process. As of this Kernel version, the parameter rdisp/start_icman no longer exists and is ignored. 10 © Copyright. All rights reserved. Lesson: Configuring the Internet Communication Manager (ICM) In the SAP system, you can quickly obtain an overview of which application servers are running with an ICM using the AS Instances of SAP System <SID> overview (transaction SM51). For more detailed information (such as the thread ID), see the ICM Monitor (transaction SMICM). From this transaction, you can choose the menu path Administration → ICM to terminate the ICM with a soft termination (corresponds to Unix signal 2) or (depending on the release) a hard termination (corresponds to Unix signal 9). The dispatcher then starts a new ICM process. By choosing Administration → ICM → Restart → Yes/No (if available), you can control whether the ABAP dispatcher will restart the ICM when it is terminated by an error or at the request of an administrator. Figure 8: ICM Monitor Functions The most important tool for an administrator in the ICM environment is the ICM Monitor (transaction SMICM). Note that the data displayed is instance-dependent (in the same way as the work process overview, transaction SM50). Some administrative activities (all available from transaction SMICM) are: ● ● ● Monitoring and restarting the ICM. Configuring the trace level (Goto → Trace Level → ...), values range from 0 (no trace) to 3 (full trace with buffers). Evaluating the trace files (Goto → Trace File → ...); the system reads the ICM trace file dev_icm or the ICM security log dev_icm_sec from the work directory of the current instance. Note: Depending on the release, the ICM security log can also be named dev_icm_sec-<date> and be located in the log directory of the current instance. ● Overview of the profile parameters (Goto → Parameters → Display/Change). The ICM is configured using profile parameters. The displayed values apply for the instance to which you are currently logged on. For documentation on the parameters, see © Copyright. All rights reserved. 11 Unit 1: Administrating Technology Components for HTTP-based Communication - ● ● ● the ICM Monitor (transaction SMICM, menu path Goto → Parameters → Change, select the parameter in question and choose Documentation), - transaction RZ11, and - SAP online documentation. Display the statistics (Goto → Statistics → Display). You can use these statistics to find out how many requests the ICM has processed since it was started (or since the statistics were reset). The system also displays information about the processing time. Monitoring (Goto → HTTP Plug-In → Server Cache → Display) and resetting (Goto → HTTP Plug-In → Server Cache → Invalidate Locally / Globally) the ICM server cache. The ICM server cache stores HTTP objects before they are sent to the client. The next time that this object is requested, the content can be sent directly from the cache to the client. In maintenance mode Administration → ICM → Maintenance Mode → Activate / Deactivate, the ICM logs off from the ABAP message server and is not available for Web requests. The ICM processes only the remaining requests. If an internet user accesses an ICM in this status from the Web browser, the system will issue a message stating that the service is not available. You can determine some of the listed data at operating system level using the icmon program. The call icmon -h displays the possible parameters for this small program, which can also, among other things, generate requests to simulate normal system workload. Note: A Web Administration interface is available for administration and monitoring purposes as well. Using this interface, you can monitor and administrate the ICM from a Web browser and from SAP MC / SAP MMC. The Web admin interface provides the same functions as the ICM Monitor. Configure SSL for the ICM You can use the Secure Sockets Layer (SSL) protocol to secure HTTP connections to and from AS ABAP. When using SSL, the data being transferred between the two parties (client and server) is encrypted. The SSL protocol uses public-key technology to provide its protection. Therefore, as a prerequisite to use SSL, the server must possess a public and private key pair and a corresponding public-key certificate. It must possess ● ● one key pair and certificate to identify itself as the server component and another key pair and certificate in case that the server is to identify itself as a client component. These key pairs and certificates are stored in the Personal Security Environments (PSEs) of the server, the SSL server PSE and the SSL client PSE, respectively. The following roadmap contains the main steps to configure SSL for the AS ABAP: 12 © Copyright. All rights reserved. Lesson: Configuring the Internet Communication Manager (ICM) Figure 9: Configuration of AS ABAP to Support SSL as Server - Roadmap For more information, see the SAP S/4HANA online documentation (Product Assistance), area Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security Concepts and Tools → Network and Transport Layer Security → Transport Layer Security on ABAP Platform → Configuring the ABAP Platform to Support TLS and SAP Note 510007 – Additional considerations for setting up SSL on Application Server ABAP. Related Information Concerning the Internet Communication Manager (ICM), the following paths in SAP Online documentation and the following SAP Notes might be helpful for further information: ● SAP S/4HANA online documentation (Product Assistance), area Enterprise Technology → ABAP Platform → Application Server ABAP - Infrastructure → Components of Application Server ABAP → Internet Communication Manager (ICM) → Administration of the ICM ● SAP Note 2007212: Tuning SAP Web Dispatcher and ICM for high load ● SAP Note 2149132 – ICM performance checks ● SAP Note 2160678 – SSO stops working when the ICM trust parameters are configured ● SAP Note 2052899 – ICM - Multiple Trusted Reverse Proxies ● SAP Note 2456368 – How to find SAP WIKI for BC-CST-IC LESSON SUMMARY You should now be able to: ● Describe the implementation of the ICM ● Illustrate monitoring options for the ICM process ● Describe the configuration of the ICM process for the use of SSL © Copyright. All rights reserved. 13 Unit 1: Administrating Technology Components for HTTP-based Communication 14 © Copyright. All rights reserved. Unit 1 Lesson 3 Using the Internet Communication Framework (ICF) LESSON OVERVIEW The Internet Communication Framework (ICF) provides an environment for handling Web requests in the ABAP work process of an SAP system. This lesson introduces the ICF and provides more information about some administrative issues. The last part of this lesson is dedicated to the SAP GUI for HTML and the integrated SAP ITS. Business Example Your company wants to use Web applications based on Web Dynpro ABAP, BSPs, or the integrated SAP ITS to connect your SAP systems with the internet or intranet. As a member of the system administration team, it is your task to create connections between the URLs and the assigned services and programs of the SAP system. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Explain the importance of the ICF for handling HTTP requests ● Describe what constitutes an ICF service ● Illustrate the idea of the ICF recorder ● Perform changes to SAP GUI for HTML settings ● List prerequisites for the use of SAP integrated ITS The Internet Communication Framework (ICF) The Internet Communication Framework (ICF) provides a way for different systems to communicate with each other over the internet/intranet using standard protocols (such as HTTP and SMTP). As of AS ABAP 7.40, no additional programming libraries (for AS ABAP) are required from SAP. However, for the HTTPS protocol, certain configuration steps need to be performed (see SAP Note 510007 – Additional considerations for setting up SSL on Application Server ABAP). Your system platform only must be configured to be internet capable. This scenario allows for the most flexible setup of the overall communication requirements. The ICF allows a response to a request to be generated using an application. An HTTP request is sent from a client (such as a Web browser) to the server. It is then forwarded to an application by the ICF. Here, data is collected and sent back to the client as a response by the ICF. The response data is then displayed in the browser. © Copyright. All rights reserved. 15 Unit 1: Administrating Technology Components for HTTP-based Communication Note: The following provides more information about using the SAP system as a Web server (HTTP(S) server). For information about the Web client role of the SAP system, see the online documentation. The application logic that is to be called by an HTTP request from the intranet or internet is implemented by the HTTP request handler in each case. An HTTP request handler is a program (or, more precisely, an ABAP class) that is identified using a URL, and which receives HTTP requests that use this URL. The task of the HTTP request handler is to receive the data that is sent by a request (for example, coded into the URL as “query string” information), to perform a number of handler-specific processes, and to generate a response to this HTTP request. Customers can also create these HTTP request handlers themselves, although SAP does provide some. An example for an SAP HTTP request handler is the handler CL_HTTP_EXT_BSP for the Business Server Pages (BSP) which can be used to develop simple Web applications. If an HTTP request is received by the ICM that is to be processed in a work process, the task handler of the work process takes control. It then starts the ICF controller (see the following figure). Figure 10: Interaction Model of an SAP System in the Server Role An HTTP(S) request is processed in the following steps (this example uses an ABAP application that must be processed by a dialog work process): 1. The request is sent from the user’s Web browser to the ICM using the HTTP(S) protocol. 2. The ICM stores the data received in a memory pipe (in the shared memory) and informs the ABAP dispatcher. 3. The ABAP dispatcher adds the ICM request to the dispatcher queue, creates a new context (if there is no context that is processed statefully), and selects a dialog work process for processing. 16 © Copyright. All rights reserved. Lesson: Using the Internet Communication Framework (ICF) 4. The task handler in the work process reads the data from the memory pipe and transfers it to the ICF controller, which is implemented using function module HTTP_DISPATCH_REQUEST. 5. The ICF controller transfers the request to the ICF manager, which is implemented by the ABAP class CL_HTTP_SERVER. The ICF controller creates a server control block and fills it with the HTTP request data that it requested from the ICM. 6. The client is then authenticated, whereby several logon options are available. 7. The HTTP request handler determined previously is called (this can process the request data, call further applications, access the response object, and so on). Once the HTTP request handler has performed all tasks, it returns control to the ICF controller. 8. The task handler writes the response back to the memory pipe (response serialization) and signals to the ICM that it has finished processing the request. 9. The ICM returns the response to the Web Browser. For a detailed explanations of the individual steps, see the online documentation for SAP S/ 4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → Application Server ABAP - Infrastructure → Connectivity → Components of SAP Communication Technology → Communication Between ABAP and Non-ABAP Technologies → Internet Communication Framework → Architecture → Server Architecture. Note: From a technical point of view, there is an ABAP class behind an HTTP request handler. This class implements the interface IF_HTTP_EXTENSION and the method HANDLE_REQUEST. SAP delivers classes of this type; customers can, of course, also create their own classes with the Class Builder (transaction SE24, integrated into the Object Navigator, transaction SE80). Properties and Maintenance of ICF Services The task of ICF services is to link a particular URL with an HTTP request handler. An ICF service therefore creates a connection between a URL to which an HTTP request is sent and development objects that process this request. An SAP system (with AS ABAP) already contains various services directly after it is installed. The exact scope depends of course on the system type (SAP ECC, SAP S/4HANA Server, and so on) and the release. You can obtain an overview of all available services using the central maintenance transaction for ICF services, transaction SICF. All available services are displayed in a hierarchical structure in transaction SICF. The complete path for a service (such as /sap/bc/icf/info) ultimately determines (together with the protocol, server name, and port) the URL under which the service can be called. The following part of this lesson explains some of the aspects that are relevant for administrators in more detail. Activation Concept ICF services can be active or inactive, which is indicated by different colors in transaction SICF: © Copyright. All rights reserved. 17 Unit 1: Administrating Technology Components for HTTP-based Communication Table 1: Status of ICF Services Status Color in SICF Meaning Active Black Service can be called Inactive Gray Service explicitly deactivated Blue Service implicitly deactivated For implicitly deactivated services, there is always a higher-level service in the ICF tree that has been explicitly deactivated. If you activate that service (displayed in gray), all lower-level services that are implicitly deactivated (displayed in blue) will be activated. When you activate a node (by choosing the menu path Service/Host → Activate or using the context menu that appears when you click the secondary mouse button), you can choose whether you want to explicitly activate the selected service only (Yes) or all of the lower-level subservices (Yes with the tree icon). If you try to call an inactive service, the system will display a message stating that access to this page is forbidden. Activated ICF services are a security risk since they can be accessed directly using HTTP(S) or SMTP from the intranet or internet (depending on your network configuration). You should therefore restrict access using suitable measures, such as by activating only the required ICF services and assigning the relevant authorizations to users. Hint: At the time of installation, all ICF services are inactive so that no ICF service can initially be used. For the behavior of ICF nodes after the implementation of Support Packages, see SAP Note 1447439 – ICF: Services are no longer deactivated after transport and SAP Note 1555208 – ICF services become inactive after upgrade or SP update. Mass Processing of ICF Services The reports RS_ICF_SERV_ADMIN_TASKS and RS_ICF_SERV_MASS_PROCESSING provide the option of executing various actions in relation to the services of the Internet Communication Framework. For example, report RS_ICF_SERV_ADMIN_TASKS offers to determine all active HTTP services (or all inactive services) in the system and to write the result to a CSV file. Report RS_ICF_SERV_MASS_PROCESSING in turn offers to activating (or deactivate) ICF services that are listed in a CSV file for all virtual hosts. For more details, see SAP Note 1498575 – Mass processing of ICF services. 18 © Copyright. All rights reserved. Lesson: Using the Internet Communication Framework (ICF) Properties and Inheritance Figure 11: Properties of an ICF Service An ICF service is characterized by properties that you maintain in transaction SICF. By double-clicking a service, you access the Create/Change a Service screen on which you can configure the following settings: Service Data tab ● An inheritance principle applies to the properties of an ICF service: In transaction SICF, you do not need to maintain properties for each individual service. You can do this simply for the higher service nodes (for example, /sap/bc/bsp). All lower-level services are then assigned these properties, provided that other values have not been entered explicitly for them. This inheritance process is not always required. You can use the Ignore inherited settings indicator to control whether this inheritance logic is interrupted. In addition, you can choose the Display Inheritance button in the application toolbar to show the properties for the current service that are inherited from higher-level ICF services. ● ● ● ● Under Load Balancing, you can enter a logon group (from transaction SMLG) using the input help (F4). When you use the SAP Web Dispatcher, requests sent to this service are forwarded only to the ABAP instances of the logon group defined. If you enter a value in the Authorization field, the system will check whether the user has this authorization (for authorization object S_ICF, fields ICF_FIELD and ICF_VALUE) at runtime. Once the time defined in Session Timeout has expired, a stateful application is terminated (if the value is 00:00:00, the value of the profile parameter rdisp/plugin_auto_logout (default value: 30 minutes) is used). If you set Compression to Yes, the SAP system will compress the response (using the gzip technique), provided that the caller can control decompression. © Copyright. All rights reserved. 19 Unit 1: Administrating Technology Components for HTTP-based Communication ● If you set GUI Interface to Yes, the screen images that are generated in the application by processing conventional dynpros will be converted to a format that allows them to be displayed graphically in a Web browser. Note: This function (as well as the screen that can be accessed with GUI Configuration) is required for the integrated SAP ITS, which is explained in more detail below. ● The Support Accessibility indicator specifies that an accessibility mode is called if the application has one. However, it cannot be guaranteed that this is the case. Logon Data tab There are various ways for an HTTP request to log onto the AS ABAP, and you can configure these for each individual service node. With the Standard default setting for field Procedure, the following check procedures are used in exactly this sequence: 1. Logon Through HTTP Fields 2. Logon Through SSL Certificate (logon using the client certificate) 3. SAP Logon/Assertion Ticket 4. SAP Assertion Ticket 5. Basic Authentication (logon using the SAP user and password) 6. SAP RFC Logon 7. SAML bearer token 8. OIDC bearer token 9. SPNEGO Authentication 10. SAML Logon 11. OIDC Logon 12. Logon Through Service Data (logon using the anonymous data entered in the service) By choosing Alternative Logon Procedure as Procedure, you can select any logon procedure (in the Logon Procedure List that appears) and change the check sequence. With Required with Logon Data as Procedure, only those entries specified in the service under Logon Data (client, user, password, and language) are used for the check. You should enter only those users that have been created in transaction SU01 as service users. In case that you enter a dialog user, the system issues a warning message. If you select Required with SSL Certificate finally, logon will occur exclusively with an X.509 client certificate. 20 © Copyright. All rights reserved. Lesson: Using the Internet Communication Framework (ICF) Note: For the Standard and Alternative Logon Procedure, you can select the Use All Logon Procedures checkbox to specify whether the respective check sequence is to run until one of the logon procedures is successful, or whether the caller is to receive a negative confirmation as soon as the first logon procedure fails. Depending on the procedure selected, you can configure additional settings (for example, you can require SSL, that is, the HTTPS protocol). Handler List tab Here, you list the HTTP handlers in the sequence in which they are to be executed. An HTTP request handler is an ABAP class that implements the interface IF_HTTP_EXTENSION. This interface contains the method HANDLE-REQUEST, which is called by the ICF. Error Pages tab On the Error Pages tab, you can specify which response pages are to be sent to the caller in the following situations: ● ● Logon Errors (HTTP 401: logon failed) Appl. Errors (HTTP 500: An error occurred in the application, for example, ABAP short dump) ● Logoff Page ● Not Accessible (HTTP 404: not found) In each case, either an explicit response page can be sent to the Web browser or the caller can be redirected to another URL. In the Logon Errors area, you can also enable a direct system logon in case that an error occurs. Note: Under the /sap/public node, services are defined that are required for systeminternal services. These differ from the other services in the tree since no credentials are maintained. You therefore do not need to log on to the SAP system to use these services. The actions are carried out under the SAPSYS system user. Therefore, customers are not permitted to create their own services under the /sap/public node. Administration tab The Administration tab contains administration data such as the user who has created and who has last changed a service. In addition, you can flag services to be administration services. Administration-relevant ICF services should be especially protected against unauthorized accesses. To do this, these services can be grouped together under a separate virtual host (such as SAP_ADMIN_VH), which is reached by its own port and can be given special access restrictions. For more information, see SAP Note 1778777 – Development of an admin application and SAP Note 1748112 – Making admin services accessible through their own port (which contains a PDF attachment concerning the Separation of HTTP Administration Requests Using a Dedicated Port. © Copyright. All rights reserved. 21 Unit 1: Administrating Technology Components for HTTP-based Communication Hint: If logon data is defined for an ICF service that is then transported, the logon data will be deleted during transport. This is due to security reasons. Furthermore, it is not possible to guarantee that the respective user exists in the target system. The user must therefore be maintained in the target systems. For more information, see SAP Note 732218 — ICF: Logon data from SICF is not transported. Also for security reasons, ICF services that have been transported to a target system are initially inactive and must be activate explicitly (see also SAP Note 517484 — Inactive services in the Internet Communication Framework). ICF Aliases In the ICF, you can link from one ICF service to another existing service (“alias”). A distinction is made between internal and external aliases: ● On the Define Services screen in transaction SICF, when you create a service and choose Alias to Existing Service, you create an internal alias. Instead of defining an HTTP request handler, use the Target tab to specify (by doubleclicking) the target handler to which the alias is to refer in the HTTP service tree. This allows you, for example, to call the existing and unchanged service with alternative settings (such as logon data and logon procedure). Note: If possible, customers should not create internal aliases to SAP services (which are always in the /sap/ namespace). ● To allow services to be called with any meaningful, non-technical names, customers should use external aliases. For this, switch to the Maintain external aliases view in transaction SICF. Unlike an internal alias, an external alias can contain a forward slash (“/”) in its name; otherwise, both procedures are handled in the same way (besides of transport settings). Figure 12: External Aliases 22 © Copyright. All rights reserved. Lesson: Using the Internet Communication Framework (ICF) ICF Recorder The ICF recorder enables developers and administrators to identify and correct the source of errors in failed service calls by recording HTTP requests. You can use it to save recorded requests (without the passwords used) in the system database. This facilitates the evaluation process since it is usually no longer necessary to describe the error so that the problem can be reproduced. The problem can be executed multiple times using the database entry in order to further identify the root cause of the problem by debugging or work process traces. Once the problem has been corrected, the erroneous data can be used to check the corrections. Figure 13: ICF Recorder You can call the ICF recorder from the Define Services screen (see figure above) or from the Maintain external aliases screen in transaction SICF by choosing the menu path Edit → Recorder → Activate/Deactivate/Display Recording; you can also use transaction SICFRECORDER for the evaluation process. The basic steps are: 1. Activate the recording. You have to enter: a. The URL path in ICF to be recorded (if you have previously selected a path, this is used as the default value) b. The duration of the recording and the storage period in the database (Lifetime) c. Whether the requests of one user (user-dependent, recommended) or all users of the current client are to be recorded d. Whether you want to record the request only or the response as well 2. Call the services to be monitored (if necessary, using the selected user). 3. Deactivate the recording (to prevent performance losses). 4. Display and process the recorded requests. © Copyright. All rights reserved. 23 Unit 1: Administrating Technology Components for HTTP-based Communication Note: In the administrator settings (available on the Define Services screen in transaction SICF under the menu path Goto → Settings), you can prevent the ICF recorder from being used system-wide. You can use authorization object S_ICFREC to control access to the request data using the ICF recorder. SAP GUI for HTML SAP GUI for HTML maps SAP screens to HTML pages. Technically, SAP GUI for HTML is realized as ICF service /sap/bc/gui/sap/its/webgui. Figure 14: SAP GUI for HTML You start the SAP GUI for HTML by entering the URL http(s)://<server with domain>:<ICM port>/sap/bc/gui/sap/its/webgui. Alternatively, start transaction WEBGUI in SAP GUI for Windows or in SAP GUI for Java. The general remarks about the properties of an ICF service that are stated above (such as client, logon language, and so on) also apply here. SAP GUI for HTML can also be used on touch based mobile devices such as Apple iPad and Android tablets. For more details, refer to SAP Note 2792965 – Touch support for tablet devices in SAPGUI for HTML. Because of the technical attributes of HTML or the Web browser, the use of SAP GUI for HTML is somewhat restricted as compared to the use of SAP GUI for Windows or SAP GUI for Java: ● The controlling of an OLE automation server is not possible. ● Keyboard navigation is limited as known from other web applications. ● Office integration is view only. ● 24 Some controls offered in SAP GUI for Windows used for special purposes (such as the advanced ABAP Editor Control) are not available. © Copyright. All rights reserved. Lesson: Using the Internet Communication Framework (ICF) To see if a transaction is supported for use with SAP GUI for HTML, check the flags in transaction SE93 (display the transaction code in question and check section GUI support). Note: For release-specific functionality and limitations of SAP GUI for HTML, refer to SAP Note 314568 – SAP GUI for HTML functionality / Limitations / Sp. Behaviour. SAP GUI for HTML Settings Figure 15: SAP GUI for HTML Settings The settings of a user are stored in the system database. Note: The communication between the web browser and the application server instance is utilizing the ABAP Push Channels (APC) technology. Ensure that the ICF service /sap/bc/apc/sap/webgui_services is active. Frontend Sub-Records (FESR) Logging To troubleshoot SAP GUI for HTML related performance problems, SAP GUI for HTML offers Frontend Sub-Records (FESR) Logging. FESR Logging contains very detailed information about the duration of the browser-to-server communication. It can be enabled on the SAP GUI for HTML – Settings screen (see figure above), in area Tools → Performance → . From there, the logging results can also be displayed. For more information, see SAP Note 2981366 – How to use FESR Logging in ITS WEBGUI (SAP GUI for HTML). Prerequisites for SAP GUI for HTML The following figure lists supported Web clients for SAP GUI for HTML. © Copyright. All rights reserved. 25 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 16: SAP GUI for HTML Client Support For details, please check the Platform Availability Matrix at https://support.sap.com/pam. For more information on themes in SAP GUI for HTML, see SAP Note 1508958 – Look and Feel in the WEBGUI and SAP Note 2540597 – Supported Themes for SAPGUI for HTML. Prerequisites for SAP GUI for HTML ● The ICF service /sap/bc/gui/sap/its/webgui is active and the property GUI Interface is set to Yes. ● The ICF service /sap/bc/apc/sap/webgui_services is active. ● The SAP Internet Transaction Server (SAP ITS) is active. Note: Depending on the release of software component SAP_BASIS in your SAP system, you have to activate further ICF services. For a detailed list, refer to SAP Note 2213657 – Which ICF services need to be activated in order to start SAP GUI for HTML (WebGUI/HTML-GUI)?. Hint: For details on the SAP Internet Transaction Server (SAP ITS), see the next section. SAP Internet Transaction Server (SAP ITS) SAP ITS Architecture The SAP Internet Transaction Server (SAP ITS) is completely integrated in the infrastructure of the AS ABAP: It is accessed via the ICM process, implemented as a number of ICF services, and uses the database as an object storage location. 26 © Copyright. All rights reserved. Lesson: Using the Internet Communication Framework (ICF) Figure 17: SAP ITS – Architecture Besides the SAP GUI for HTML, SAP ITS also supports the Internet Application Components (IAC) programming model. Hint: The HTML Business Templates mentioned on the figure above are relevant for selected IACs, but not for SAP GUI for HTML. SAP ITS Configuration The SAP ITS is automatically installed with the SAP kernel as part of AS ABAP 6.40 and above. To use the SAP ITS, the following prerequisites must be met: Prerequisites for SAP ITS ● The ICM process is operational and configured for HTTP(S). ● Profile parameter itsp/enable is set to 1. ● ● The required SAP ITS service is active in the ICF and the property GUI Interface is set to Yes. The ICF service/sap/public/bc/its/mimes is active in the ICF and the property GUI Interface is set to Not specified. For the SAP ITS, various profile parameters are relevant, which all begin with itsp/. Administrations can use the usual methods to call documentation for individual parameters (transaction RZ11) and change the assigned values permanently (transaction RZ10). Two profile parameters are particularly significant in relation to the SAP ITS: ● itsp/enable: You use this to deactivate (0) and activate (1) the SAP ITS. Even if the SAP ITS is active, it uses the system resources only when it is actually used. However, it can be useful to deactivate it for selected application servers (instances) so that no users can access the SAP system via the SAP GUI for HTML with these instances (for example, batch or update instances). Since the conversion of SAP screen images to HTML pages also requires CPU time, it is useful to reserve a number of dedicated instances for use with SAP GUI for HTML and to use a special logon group for load balancing between them. © Copyright. All rights reserved. 27 Unit 1: Administrating Technology Components for HTTP-based Communication ● em/global_area_MB: This parameter determines the memory commonly used by all ABAP work processes of the SAP kernel. The SAP ITS uses it for session information and the runtime version of the HTML Business templates. The required memory space depends on the number of sessions currently in use, as well as on the number and size of the templates used when users want to call and display services. If your users log onto the SAP ITS in different languages or with different Web browsers (for example, Microsoft Edge and Firefox), or if you require additional services that are not included in SAP GUI for HTML, the number of templates used will increase and you will have to adapt em/global_area_MB (see SAP Note 742048 – Integrated ITS, memory requirement in application server and SAP Note 885580 – Integrated ITS: Configuration Parameters). Alongside these profile parameters, which are evaluated by the kernel and affect the entire SAP ITS, there are also service parameters, which affect the individual SAP ITS services. You maintain these settings in transaction SICF. The basic behavior (such as logon, anonymous logon data, service options, security requirements, basic authorizations, and customized error pages) results from the properties of the SAP ITS services in the ICF, as is also the case with “normal” ICF services. You maintain other, SAP ITS-specific service parameters (that begin with ~) in transaction SICF on the Create/Change a Service screen. Choose the Service Data tab and in the Interactive Options area, choose GUI Configuration. Hint: For more information about these parameters, see the online documentation for SAP S/4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → UI Technologies → SAP GUI → SAP GUI Technology → SAP GUI for HTML. From here choose subentries ● SAP ITS in SAP NetWeaver Application Server and ● Configuration. From subentry SAP ITS in SAP NetWeaver Application Server, you can also use a link leading to the documentation of the Internet Communication Framework. Developers create new SAP ITS services with the Web Application Builder for ITS Services, a tool in the ABAP Development Workbench (transaction SE80; in the Repository Browser, select Internet Service). By default, services are published to the (implicitly available) site of the (integrated) SAP ITS. The SAP ITS service must also be created in the ICF, and can be accessed with the URL http(s)://<server with domain>:<ICM port>/<ICF path>/ <ITS service name> (or by choosing Test Service for the service in question in transaction SICF). Hint: After the installation or after an upgrade of an AS ABAP based SAP system, SAP ITS services may not be executable in the SAP ITS, or the services that start may not behave as they should in the current version because services are not automatically published to the SAP ITS after an installation or upgrade. SAP Note 790727 – Publishing all ITS-objects at the same time and 2206029 – ITS errors after an upgrade or change show how to solve this potential issue. 28 © Copyright. All rights reserved. Lesson: Using the Internet Communication Framework (ICF) SAP ITS Monitoring The administrator can use the tools integrated in the AS ABAP (such as transactions SM21, ST22, SMICM, and SICF) to monitor the SAP ITS. The SAP ITS does not have special trace files, but instead uses the standard developer trace files of the work processes dev_w*.trc. Developers can specially activate ICF and/or WebGUI tracing (in transaction SM50 (menu path Administration → Trace → Active Components) or with program RSTRC000, component WebGui). They can also use transaction SITSPMON and program SITSPMON, which provides a detailed status summary of the SAP ITS. Figure 18: SAP ITS – Monitoring The following list contains a number of selected monitoring functions for the SAP ITS: ● ● ● ● Parameter: Status, message text, Feature Set version, and profile parameters Memory Statistics: Overview and details about memory consumed by sessions and ABAP work processes Template & Mime Cache: Status and invalidation of caches for HTML templates and MIME objects Mutex Locks (from “mutual exclusion”): Technology for preventing simultaneous access to a resource by several processes For more information on features of the SAP ITS, see SAP Note 890606 – SAP NetWeaver 2004s integrated ITS: New Features. Active Services for Web Dynpro ABAP SAP Note 1088717 – Active Services for Web Dynpro ABAP in SICF lists the services in transaction SICF which need to be activated for Web Dynpro ABAP applications, for the Web Dynpro ABAP development environment as well as for Web Dynpro ABAP applications for troubleshooting. © Copyright. All rights reserved. 29 Unit 1: Administrating Technology Components for HTTP-based Communication Additional Information on the Internet Communication Framework Concerning the Internet Communication Framework (ICF), the following paths in SAP Online documentation and the following SAP Notes might be helpful for further information: ● Online documentation for SAP S/4HANA (Product Assistance), area - - Enterprise Technology → ABAP Platform → Application Server ABAP - Infrastructure → Connectivity → Components of SAP Communication Technology → Communication Between ABAP and Non-ABAP Technologies → Internet Communication Framework Enterprise Technology → ABAP Platform → UI Technologies → SAP GUI → SAP GUI Technology → SAP GUI for HTML ● SAP Note 517484 – Inactive services in the Internet Communication Framework ● SAP Note 709038 – SAP Integrated ITS ● SAP Note 698329 – Integrated ITS, WEBGUI/IAC logon fails ● SAP Note 732218 – ICF: Logon data from SICF is not transported ● SAP Note 2460180 – SSO failed in transaction NWBC, SOAMANAGER, SOLMAN_SETUP, SM_WORKCENTER, DBACockpit, ILM_SB etc. ● SAP Note 1088717 – Active services for Web Dynpro ABAP in transaction SICF ● SAP Note 1508958 – Look and Feel in the WEBGUI ● SAP Note 1555208 – ICF services become inactive after upgrade or SP update ● SAP Note 2661761 – ICF Services - what is mandatory and what can be deactivated? ● SAP Note 2710306 – All ICF services under DEFAULT_HOST are Inactive ● SAP Note 2658822 – Release notes for SAP GUI for HTML (short WEBGUI) LESSON SUMMARY You should now be able to: 30 ● Explain the importance of the ICF for handling HTTP requests ● Describe what constitutes an ICF service ● Illustrate the idea of the ICF recorder ● Perform changes to SAP GUI for HTML settings ● List prerequisites for the use of SAP integrated ITS © Copyright. All rights reserved. Unit 1 Lesson 4 Maintaining UI-related Software Components LESSON OBJECTIVES After completing this lesson, you will be able to: ● Perform an update to the latest Unified Rendering patch ● Perform an update to the latest SAPUI5 patch Update Unified Rendering Unified Rendering (UR) is a high performance client- and server-side HTML5 and JavaScript based rendering UI library that is optimized for consumption of SAP legacy applications. It was continuously improved over the years and will be further enhanced. Unified Rendering combines flexibility with known SAP strengths such as enterprise readiness and full product standard support: ● ● One consistent user experience for your applications Desktop based browser support for Google Chrome, Apple Safari, Mozilla Firefox, Microsoft Edge and IE11 (Standards & Quirks Mode) ● Feature-rich UI controls for handling complex UIs ● Keyboard interaction support and accessibility features incl. ARIA support ● Full translation support and right-to-left (RTL) enabled ● Based on open standards like JavaScript, CSS, and HTML5 ● ● ● Support of all existing SAP themes including SAP Corbu, SAP Belize and High Contrast Themes for SAP Fiori use cases Powerful theming support to customize look & feel using SAP Theme Designer Integration of active content (depends on browser): Adobe Forms, MS Office, Flash, ActiveX, Java Applet © Copyright. All rights reserved. 31 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 19: Unified Rendering There are two variants of Unified Rendering available: UR Lightspeed ● ● ● ● ● Used by the UI frameworks Web Dynpro ABAP (Floorplan Manager), SAP GUI for HTML, Web Dynpro Java and others Based on a release-independent codeline Fixes and browser adaptions delivered once a month as cumulative patch (for example part of the Web Dynpro ABAP TCI Note or SAP Kernel for SAP GUI for HTML) to ensure high quality Version identifier based on the schema <year><month> (for example “2109”) and on technical CSS theming version (for example “10.30.7.336851.0”) New features are delivered indirectly by the UI frameworks, for example with a new AS ABAP release or Support Package (Stack) UR Classic (deprecated) 32 ● Used by SAP Enterprise Portal (Knowledge Management), BSP, BI BEX ● No support for modern styles (Corbu, Blue Crystal, Belize) © Copyright. All rights reserved. Lesson: Maintaining UI-related Software Components Figure 20: UR Architecture The components of the UR architecture are: ● ● ● Control-Interface & Control-Renderer - Common definition of HTML Renderer written in XML - Compiled into various programming languages (ABAP, C++, Java, JavaScript) - Used by multiple programming models JavaScript Framework - Small initial JS Framework - On-demand loading and lazy instantiation of control specific JavaScript - Lazy instantiate of JS Controls - Client side capabilities Theming - - Based on LessCSS Theming using Theme Designer UI Framework independent parameters shared by all SAP UI technologies (for example SAPUI5) The update procedure for UR Lightspeed depends on the UI framework: ● ● ● An overall overview about the Unified Rendering Lightspeed patch process for all UI Frameworks is given in SAP Note 2500800 – UR: General information about cumulative patches for Unified Rendering For SAP GUI for HTML, update the SAP Kernel (see SAP Note 2504011 – SAP GUI for HTML: Unified Rendering Update - Instructions and Forecasts) For Web Dynpro ABAP, use the TCI Note mechanism (as described below) © Copyright. All rights reserved. 33 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 21: Available UR Version on AS ABAP To check the version of UR in an ABAP-based SAP system, execute program WDG_MAINTAIN_UR_MIMES (using transaction SA38, for example). Figure 22: Maintain UR for Web Dynpro ABAP To update UR Lightspeed for Web Dynpro ABAP in an ABAP-based SAP system, perform the following steps: 1. Check if your SAP system is enabled for Transport-based Correction Instructions (TCI). Consult SAP Note 2187425 – Information about SAP Note Transport based Correction Instructions (TCI) and carefully read the attachment TCI_for_Customer.pdf. 2. If required: apply a SPAM/SAINT update. 3. Consult the central SAP Note 2090746 – WD ABAP: Unified Rendering Update with TCI Instructions and Related SAP Notes on Unified Rendering update with TCI to determine the most recent TCI Note for your SAP release. 34 © Copyright. All rights reserved. Lesson: Maintaining UI-related Software Components 4. Download the proper note using transaction SNOTE. 5. Import the TCI transport and the corresponding TCI UR SAP Note using transaction SNOTE. 6. If you are using a custom theme, it might be necessary to install new theme meta data in the ABAP Backend or SAP Enterprise Portal and to regenerate the custom theme: ● ● Using the Theme Designer in AS ABAP: meta data is shipped using Web Dynpro ABAP TCI Note. Using Theme Designer in SAP Enterprise Portal: Themes are shipped with EPBASIS.SCA respectively EP-FLP.sca. Related Information ● SAP Wiki page on UR update at https://wiki.scn.sap.com/wiki/display/WDABAP/Unified +Rendering+Update ● ● ● SAP Note 2187425 – Information about SAP Note Transport based Correction Instructions (TCI) SAP Note 2090746 – WD ABAP: Unified Rendering Update with TCI - Instructions and Related SAP Notes SAP Note 2500800 – UR: General information about cumulative patches for Unified Rendering Patch SAPUI5 Introduction to SAPUI5 Figure 23: SAP UI Development Toolkit for HTML5 The SAP UI Development Toolkit for HTML5 (SAPUI5) is a client-side HTML5 and JavaScriptbased rendering UI library and programming model that is optimized for consumption of SAP data. It combines new qualities such as openness and flexibility with known SAP strengths such as enterprise readiness and product standard support. © Copyright. All rights reserved. 35 Unit 1: Administrating Technology Components for HTTP-based Communication SAPUI5 is a JavaScript-based library for modern Web business applications: ● One consistent user experience for your apps ● Responsive across browsers and devices (smartphones, tablets, desktops) ● Feature-rich UI controls for handling complex UI patterns ● Keyboard interaction support and accessibility features ● Full translation support ● Based on open standards like JavaScript, CSS3, and HTML5 ● Powerful theming support based on CSS ● Using and including the popular jQuery library To access the SAPUI5 SDK or the demo kit, visit https://sapui5.hana.ondemand.com. Figure 24: Browser and Platform Support 1/2 Specific libraries may have different browser support. The single source of truth about supported browsers and platforms is the Product Availability Matrix (PAM) that you can find at https://support.sap.com/pam. SAPUI5 is not a product on its own, so please check the PAM for the product you're using SAPUI5 with (for example: SAP S/4HANA 2020 for SAPUI5 1.84.xx). To access the SAPUI5 Browser Support page, navigate to <Product Page in PAM> → General Information → Details & Dates → Essential Information → Open in New Window → Browser Support → <Page on SAPUI5>. 36 © Copyright. All rights reserved. Lesson: Maintaining UI-related Software Components Figure 25: Browser and Platform Support 2/2 The figure shows the details for software component SAP_UI 7.56 with SAPUI5 1.96.xx, as an example. For more information, see SAP Note 1716423 – SAPUI5 Browser Support. For the browser and platform support of the SAPUI5 Demo Kit, please refer to the Browser and Platform Support section in the online documentation. Figure 26: Versioning of SAPUI5 The figure Versioning of SAPUI5 explains the version schema of SAPUI5. © Copyright. All rights reserved. 37 Unit 1: Administrating Technology Components for HTTP-based Communication Maintaining SAPUI5 Figure 27: Maintenance Strategy SAPUI5 provides innovations on a regular basis through maintenance versions and innovation versions. As long as an SAPUI5 version is still in maintenance, SAP provides patches with fixes. An innovation version is only maintained until the next version of SAPUI5 is released. Maintenance versions have an extended maintenance period in which SAP still provides patches even though a higher version is already available. This is because the SAPUI5 version is included in a release of the SAP_UI component. For example, the following version has an extended maintenance: 1.84, as SAPUI5 version 1.84 is included in SAP_UI 7.55. In the version overview at https://sapui5.hana.ondemand.com/versionoverview.html, you can see which SAPUI5 versions have an extended maintenance. For more information on the SAPUI5 maintenance strategy for AS ABAP, see SAP Note 2217489 – Maintenance and Update Strategy for SAP Fiori Front-End Server. To view the documentation for a specific version, check at https://sapui5.hana.ondemand.com/ versionoverview.html which versions are available. You can view the version-specific Demo Kit by adding the version number to the URL, for example https://sapui5.hana.ondemand.com/ 1.96.12. To get an overview of the new features of each version, see What's New in SAPUI5. To see the fixes contained in each patch check the Change Log. 38 © Copyright. All rights reserved. Lesson: Maintaining UI-related Software Components Figure 28: Available SAPUI5 Versions in AS ABAP In the above-mentioned URL, replace ● <hostname> with the host name ● <domain> with the domain ● <port> with http(s) port of your ABAP System (ICM process or SAP Web Dispatcher). Figure 29: Maintain SAPUI5 Perform the following steps to patch SAPUI5: 1. Consult SAP Note 2217489 – Maintenance and Update Strategy for SAPUI5. © Copyright. All rights reserved. 39 Unit 1: Administrating Technology Components for HTTP-based Communication 2. Download the proper patch file (UI5CLIENT##P_##-#######.ZIP): see SAP Notes with title ABAP SAPUI5 <Version> release. 3. In the development system, create a Transport Request of type Workbench Request. 4. Avoid Timeouts in Dialog Processing: Set Profile Parameter rdisp/scheduler/prio_normal/ max_runtime = 3h (three hours). 5. Upload SAPUI5 Patch: execute program /UI5/UI5_UPLOAD_PATCH_TO_MIME (in test mode first). 6. Release the Transport Request in the development system. 7. Import the Transport Request into the next stages (quality assurance and production, typically). Figure 30: Program /UI5/UI5_UPLOAD_PATCH_TO_MIME LESSON SUMMARY You should now be able to: 40 ● Perform an update to the latest Unified Rendering patch ● Perform an update to the latest SAPUI5 patch © Copyright. All rights reserved. Unit 1 Lesson 5 Configuring SAP Gateway LESSON OBJECTIVES After completing this lesson, you will be able to: ● Explain OData ● Explain SAP Gateway ● Perform basic configuration steps for SAP Gateway ● Enable SAP Gateway soft state ● Configure SAP Gateway routing OData Standard Figure 31: Architecture of the World Wide Web One important aspect of the architecture of the World Wide Web is the use of abstract interfaces for component communication. These abstract interfaces are presented as connectors. A client and a server each use a connector component. There is a contract between both connectors that defines the application protocol. It defines the documents, their format, and the behavior. Any protocol can be chosen. By using the connector concept, both client and server are largely independent and exchangeable. Each connector translates the documents exchanged on the communication channel to the internal representations both on the server and on the client side, and vice versa. © Copyright. All rights reserved. 41 Unit 1: Administrating Technology Components for HTTP-based Communication The OData protocol defines such a contract by specifying a uniform protocol that has the necessary qualities. For instance, a connector attached to an SAP back-end system translates between ABAP APIs and OData entities. SAP Gateway is such a connector. On the other side, a client connector translates between OData entities and the APIs of the consumer platform. The connector is specified here. As a consequence, any client platform with libraries supporting the contracted OData format can communicate with any server supporting the same contract. OData follows the Representational State Transfer (REST) architecture design paradigm in the sense that the protocol transfers representations of the state of resources. The term resource denotes data that is addressable and accessible. The standard address representation or resource is the Uniform Resource Identifier (URI). A client requests a resource from a server by sending a request to a URI. The server processes the request by translating the URI to internal address data to access or manipulate the data, and then assemble the response. Open Data Protocol Figure 32: Open Data Protocol OData is an open standard originally developed by Microsoft but now managed by the Oasis Organization. It is based on the Atom Publishing and Atom Syndication standards, which, in turn, are based on XML (Extensible Markup Language) and HTTP(S) (HyperText Transfer Protocol (Secure)). JSON (JavaScript Object Notation) is an alternative to XML to structure data. The objective of the OData protocol is to provide a vendor-neutral, web-based API that fully complies with the design principles of Representational State Transfer (REST). OData provides database-like access to server-side resources. In this context, OData is also called ODBC for the Web. Note: Open Database Connectivity (ODBC) is a widespread database access method. 42 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway OData is also extensible. This enables SAP to supplement the data types used by OData with extra information from the ABAP Data Dictionary. Another example is metadata-driven development for Web and mobile like SAP Fiori elements. OData is available in version 2 (V2), version 3 (V3), and version 4 (V4). The versions are built on each other extending the previous version by adding new features. The majority of OData services are based on V2. SAP Gateway supports OData V2 since AS ABAP 7.00 and OData V4 since AS ABAP 7.50. OData V3 was skipped in SAP Gateway and is therefore not supported. SAP Gateway Foundation Figure 33: OData Provider SAP offers a variety of OData providers. SAP Gateway (up to the end of 2014 known as SAP NetWeaver Gateway) provides a single entry point to access business data of ABAPbased systems such as the SAP Business Suite or SAP S/4HANA. The SAP HANA Extended Applications Services (XS) has the same role in SAP HANA – just to name another important OData provider. Caution: SAP Gateway must not be confused with the kernel’s gateway process used for communication via RFC. By using OData, business data can be shared among multiple environments and platforms. SAP knowledge is not required for the consumption of the data. Usually client-based applications consume SAP Gateway services and interact directly with the user. Applications in a Web browser are a common example. However, it is also possible for an SAP Gateway service to be used as an API (Application Programming Interface) by a server-based application. Additional servers can be added to the communication path to enhance the possibilities for client and server. For mobile devices, the SAP Mobile Services add additional value to the applications. © Copyright. All rights reserved. 43 Unit 1: Administrating Technology Components for HTTP-based Communication For AS ABAP 7.00 to 7.31, SAP Gateway consists of individual add-ons that provide the OData functionality. These can be divided into the following areas: Runtime Provides the OData and thus the SAP Gateway service externally via the URI. Design Time Contains the development environment and programs for processing the requests to the service. First introduced in AS ABAP 7.40 and finalized in AS ABAP 7.51, all add-ons are merged in the software component SAP_GWFND (SAP Gateway Foundation). This offers everything needed for the OData runtime and design time. Note: Some SAP Gateway add-ons may still exist in an AS ABAP 7.51 after an upgrade. These are deprecated and should be uninstalled. Either their functions are now part of software component SAP_GWFND or they are no longer supported. SAP Gateway Deployment Options Figure 34: SAP Gateway Deployment Options There are three possible deployment options for SAP Gateway (hub is a synonym for frontend server (FES)): Hub deployment with development in back-end server (BES) A hub deployment offers the possibility of routing and composition of multiple back-end systems. It is the single point of access to back-end systems when using OData. This increases security and flexibility in operation. This is the recommended setup for SAP Business Suite. Hub deployment with development in front-end server (FES) 44 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway When developing in the FES, data is only read via RFC-enabled function modules from the BES, which enables access to data of a BES not able to provide an OData service on its own. This grants more freedom in selecting a system as data source. This is the recommended setup for integrating multiple BES with different releases. Embedded deployment When developing in the BES, the application source code has direct access to the definition of the data and other repository objects. This increases performance and efficiency in development. This is the recommended setup for SAP S/4HANA. SAP Gateway Components Figure 35: SAP Gateway Components For AS ABAP 7.00 to 7.31, SAP Gateway consists of individual add-ons that provide the OData functionality. The OData runtime consists of the Gateway Core (GW_CORE) and the Information Worker Foundation (IW_FND) and thus contains the service registration as well as the runtime. The central add-on Business Enablement Provisioning (IW_BEP) of the design and service provider runtime contains the tools for service implementation. Other add-ons can also be installed, for example: ● Process Gateway Workflow (IW_PGW) ● Generic Interaction Layer (IW_GIL) ● Service Provider Infrastructure (IW_SPI) As of AS ABAP 7.40, GW_CORE, IW_FND, IW_BEP, and IW_HDB (SAP HANA Database) have been merged in software component SAP_GWFND (Gateway Foundation). This offers everything needed for the OData runtime and implementation. The additional add-ons that are still possible are grouped together in data model consumption and generators. As of AS ABAP 7.51, IW_PGW has been merged in addition into software component SAP_GWFND. This offers general SAP Workflow functionality via SAP Gateway especially used in the area of SAP Fiori. In addition, all other SAP Gateway add-ons are deprecated and © Copyright. All rights reserved. 45 Unit 1: Administrating Technology Components for HTTP-based Communication should be uninstalled. Either the functions are now part of software component SAP_GWFND or they are no longer supported. Note: SAP Gateway in AS ABAP 7.00 up to 7.31 is often referred to as SAP Gateway 2.0. Starting with AS ABAP 7.40, the new term is SAP Gateway Foundation like in SAP_GWFND. Figure 36: SAP Gateway Foundation Support Package Stack Mapping Starting with SAP NetWeaver 7.50 SP03, new developments in SAP Gateway have only been performed for the software component SAP Gateway Foundation (SAP_GWFND) in the highest SAP NetWeaver release. Starting with SAP NetWeaver 7.52 SP01, it has been decided to downport the following structure packages and their sub-packages of the SAP Gateway Foundation framework to SAP NetWeaver 7.51: ● /IWFND/FRAMEWORK ● /IWBEP/FRAMEWORK ● /IWCOR/TD_CSI This includes the latest development for the SAP Gateway foundation framework for OData V4 as well as for OData V2. It does however not include the components of the Notification Channel. Please note that 1. in certain use-cases there might be slight variations in the functionality. 2. not all functionalities have been down-ported (see list of down-ported software packages above). As a result, the above mentioned sub-packages of the SAP Gateway framework in SAP NetWeaver 7.52 SP01 are equivalent to their counter parts in the SAP Gateway framework in SAP NetWeaver 7.51 SP05 and SAP NetWeaver 7.50 SP11. 46 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway The same is true for higher releases to their counter parts visible in the table. The last available down-port for SAP_GWFND 7.50 is included in SP12. The last available down-port for SAP_GWFND 7.51 is included in SP09. No further down-ports are planned for these releases. Please find more information in SAP Note 2512479 - SAP Gateway Foundation Support Package Stack Definition. SAP Gateway Administration Figure 37: Basic SAP Gateway Configuration There are four steps needed as basic configuration in SAP Gateway to enable the communication via OData: 1. Create RFC destination to BES in FES (not needed for embedded deployment) 2. Activate SAP Gateway in FES (in BES for embedded deployment) 3. Create system alias in FES (optional for embedded deployment) 4. Activate ICF nodes under /sap/opu in FES (in BES for embedded deployment) © Copyright. All rights reserved. 47 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 38: System Alias Settings Depending on the deployment option of SAP Gateway, the system alias needs certain settings: ● In a hub deployment with development in BES, neither the flag Local GW nor Local App must be set. ● In a hub deployment with development in FES, only the flag Local App must be set. ● In an embedded deployment, only the flag Local GW must be set. The last combination with both flags set is only used in an embedded deployment for services developed originally for the hub deployment with development in FES. Note: The system ID and client for a system alias is used as a filter when registering an SAP Gateway service via the SAP Gateway Service Builder. This makes it easier for the developer to choose the correct system alias and therefore reduces errors. 48 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway Figure 39: OData on Back-End and Co-Deployed Since AS ABAP 7.50 SP04 it is possible to route the whole processing of the OData request to the BES. The feature was called Micro Hub in AS ABAP 7.50 but was renamed to OData on Backend in AS ABAP 7.51. This may increase the performance of the service calls depending on the scenario concerning workload in FES and BES or of the network. The following steps are needed to enable OData on Backend for an SAP Gateway service: 1. Define a system alias in FES with flag OData on Backend enabled. 2. Register a service in FES using this system alias in processing mode Routing-based. 3. Register the same service in BES using no system alias in processing mode Co-deployed only. In addition to the feature OData on Backend in a hub deployment, it is recommended today to register SAP Gateway services in an embedded deployment in processing mode Co-deployed only. This increases the general performance of OData requests by skipping any communication part in an AS ABAP normally involved when connecting FES to BES. © Copyright. All rights reserved. 49 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 40: SAP Gateway Alias Beside the system alias connecting FES to BES, the SAP Gateway alias enables connection from BES to FES. This is not needed for calling an SAP Gateway service but gets useful when developing one. There are two steps needed to enable developers to register, manage, and test their OData services via the SAP Gateway Service Builder (transaction SEGW): 1. Create RFC destination to FES in BES (not needed for embedded deployment) 2. Create SAP Gateway alias in BES Figure 41: SAP Gateway Task Lists In the Task Manager for Technical Configuration (transaction STC01), several task lists are in place to make initialization and handling of SAP Gateway easier: SAP_GATEWAY_BASIC_CONFIG (since AS ABAP 7.40) Performs basic configuration like activating SAP Gateway, central ICF-nodes, and metadata cache. SAP_SAP2GATEWAY_TRUSTED_CONFIG (since AS ABAP 7.40) 50 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway Creates and configures a trusted RFC connection between BES and FES including single sign-on. SAP_GATEWAY_ACTIVATE_ODATA_SERV (since AS ABAP 7.40) Registers a list of SAP Gateway services routing-based or co-deployed. /IWFND/TL_SERVICE_MAINTENANCE (since AS ABAP 7.54) Enable mass maintenance of SAP Gateway services like handling system alias assignment, setting processing mode, service deletion or transport. SAP Gateway Tools Figure 42: SAP Gateway Service Maintenance (OData V2) The SAP Gateway Service Maintenance (transaction /IWFND/MAINT_SERVICE) provides a list of all the OData V2 services registered in the system. Complete management of the SAP Gateway services is carried out here. The transaction is divided into three areas: ● Service Catalog (service name, description, and many other settings) ● ICF Nodes (maintenance of the ICF services and testing of the service) ● System Aliases (maintenance of the connection to the back-end) Hint: For services not connecting to other systems, the Processing Mode is set to Codeployed only and no system alias is assigned. © Copyright. All rights reserved. 51 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 43: SAP Gateway Service Administration (OData V4) OData V4 services are not registered as single instances. Instead a service group consisting of multiple services is published. These service groups are created using the SAP Backend Service Administration (transaction /IWBEP/V4_ADMIN) and shipped by SAP or created by developers. The SAP Gateway Service Administration (transaction /IWFND/V4_ADMIN) is used to publish service groups so that the services inside can be consumed in applications. Hint: The default service group /IWBEP/ALL consists of all SAP Gateway services in the BES. This makes it easier for developers to test their services in a development system. It should never be published on a productive system. 52 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway Figure 44: SAP Gateway Client Using the SAP Gateway Client (transaction /IWFND/GW_CLIENT), all functions of an OData service can be tested. For a read request, it is enough to enter the request URI and execute. For a create, update, and delete request, additional adjustments must be made, for example, a request body filled with data must be created. All adjustments can be saved as test cases for later usage. The SAP Gateway Client can handle data formats like XML (Atom) and JSON for both OData V2 and V4 services. Apart from these transactions, there are several more for SAP Gateway. All transactions are connected to each other via buttons and menu entries. Therefore, you can jump from the service maintenance to the client and back. SAP Gateway Maintenance Figure 45: SAP Gateway Transactions © Copyright. All rights reserved. 53 Unit 1: Administrating Technology Components for HTTP-based Communication SAP Gateway is available in two branches (runtime and designtime) in the SAP Reference Implementation Guide (transaction SPRO) but also offers many transactions. Beside the SAP Gateway Service Builder (transaction SEGW) for developers, the transactions can be categorized in administration, management and monitoring. If a transaction starts with IWFND, it is connected to OData runtime (for hub deployment in FES). If it starts with IWBEP, it is connected with designtime (for hub deployment in BES) Administration /IWFND/IWF_ACTIVATE (De-)Activate SAP Gateway for the whole system. /IWFND/ROUTING Define system aliases for accessing ABAP systems via RFC. /IWFND/SOFTSTATE (De-)Activate soft-state mode for all SAP Gateway services in the system. Caution: Please check SAP Note 1986626 – Request could not be processed in soft state mode before activating. /IWBEP/GLOBAL_CONFIG Settings for logs, traces, and caching. Management /IWFND(IWBEP)/CACHE_CLEANUP Cleanup model cache in run- and designtime. /IWFND/NOTIF_CLEANUP Cleanup notifications in run- and designtime. /IWFND/MED_ACTIVATE (De-)Activate metadata cache for the whole system. Monitoring /IWFND/APPS_LOG View general messages of services. /IWFND(IWBEP)/ERROR_LOG View error messages of services for run- and designtime. /IWFND(IWBEP)/NOTIF_MONITOR View notification queue status for run- and designtime. /IWFND(IWBEP)/TRACES Run and view performance and payload traces for run- and designtime. /IWFND/STATS View request statistics of services. 54 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway Figure 46: Periodical Tasks for SAP Gateway SAP Gateway offers some cleanup jobs to ensure that the software runs with optimal performance. The frequency specified depends on the load in your system to avoid a waste of disk and memory space. The SAP Reference Implementation Guide (transaction SPRO) offers sections for cleanup tasks for FES and BES. The following jobs can be scheduled directly in SPRO running daily at 3 am: Front-End Server SAP_IWFND_SUP_UTIL_CLN This job deletes logs of support utilities, such as error logs, traces, and performance logs. SAP_IWFND_APPS_LOG_CLN This job deletes SAP Gateway entries from the application log. SAP_IWFND_NOTIF_CLN This job deletes the SAP Gateway notifications. Back-End Server SAP_IWBEP_SUP_UTIL_CLN This job deletes logs of support utilities, such as error logs, traces and performance logs. SAP_IWBEP_QRL_CLN This job deletes the entries of the query result log. In addition to these automatically scheduled jobs, the report /IWFND/R_SM_CLEANUP offers several cleanup scenarios. In SPRO, it can be run directly or scheduled as job using report variants for several scenarios like clean up the Application Log Viewer (scenario /IWFND/ CLEANUP_APPSLOG) or Error Log (scenario /IWFND/SUPPORT_UTILITIES). © Copyright. All rights reserved. 55 Unit 1: Administrating Technology Components for HTTP-based Communication Note: When activating SAP Gateway, the following jobs are scheduled automatically: ● SAP_IWFND_METERING_AGG ● SAP_IWFND_METERING_DEL If the jobs are not running periodically, the system will need more disk resources than expected. These jobs are only carried out in one client, but they are also doing this for the other clients. When deactivating SAP Gateway, the jobs are deleted automatically, as long as SAP Gateway is not active in another client. SAP Gateway Soft State Figure 47: Soft State Caches By default, OData communication is stateless. There are however certain business scenarios that do require the caching of data to improve the performance. Since SAP Gateway 2.0 SP09 (SAP_GWFND 7.40 SP08), soft state enables the SAP Gateway runtime to process several requests in one ABAP application server session in a similar way to stateful behavior. The only difference is the behavior of the application server after the session times out: Instead of breaking the request processing with a time-out exception, the server creates a new session and processes the request as usual. The only thing that the consumer will observe is that the response time will be higher because data that was previously cached must be read or calculated again. The session that is held by the Internet Communication Framework (ICF) results in a session held in the back-end system via RFC. There, the data (variables) processed in the SAP Gateway design time is cached in the data provider cache. In addition, the Soft State Based Query Result Cache (SQRC) resides in the FES. If the client only wants to navigate through a result set, it can serve as a cache, avoiding unnecessary calls to the BES. 56 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway Figure 48: Enable Soft State Using SAP Gateway Service Maintenance (transaction /IWFND/MAINT_SERVICE), the soft state is activated for single services supporting soft state. As a prerequisite, the session time out for the ICF node must be set to a value larger than 0. This can also be done from within SAP Gateway Service Maintenance using the ICF Node button. Note: Transaction /IWFND/SOFTSTATE allows (de-)activation of soft state mode for all SAP Gateway services in the SAP system. Figure 49: Soft State Based Query Result Cache (SQRC) © Copyright. All rights reserved. 57 Unit 1: Administrating Technology Components for HTTP-based Communication The first service request using SQRC is significantly higher compared to a similar request without. The whole data is read at once from the database and cached. All following requests before the timeout read the next portion of data from the cache. This reduces the application time to 0, which also means that there is no RFC communication with the BES. SQRC should only be used if all of the following conditions apply: ● The data retrieval is very expensive (slow). ● Caching of large data sets must be avoided. ● Cached data is not often changed. ● Memory is sufficiently available. SAP system resources are occupied as long as the session is active. The more services that run in soft state mode in parallel, the more resources are permanently occupied. Therefore, the timeout should be very short. For more details, please read SAP Note 1986626 – Request could not be processed in soft state mode. SAP Gateway Routing Figure 50: Routing Capabilities Multiple system aliases can be assigned to an SAP Gateway service catalog entry. By this, the same service logic can be called in multiple back-end servers (BES) by means of routing rules working on the data available in the different databases. The most basic rule is setting one alias as default. Only this one is then used. The others can be used as backup (for example when the main BES is not reachable) or accessed by applying further routing rules. 58 © Copyright. All rights reserved. Lesson: Configuring SAP Gateway Figure 51: Routing via Role Assignment By assigning a user role to a system alias for an SAP Gateway service catalog entry, the alias can only be used by users that have this role assigned to them. Nothing has to be set in the user role, especially no authorizations. It is not about authorizing a user in some way, it is about routing a certain group of users to a certain BES. The grouping element for this is a user role. Figure 52: Routing via Request URI When the user has multiple system aliases assigned to him via the user roles, the one with the default flag is used. The ones without the default flag can be accessed by adding the alias as origin to the request URI. Trying to access a system using an alias not assigned to the user results in an error. © Copyright. All rights reserved. 59 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 53: Multiple Origin Composition By adding the option for multiple origin (mo) to the request URI, all systems that the user has an alias assigned to are called. The sum of all data from all BESs is merged on the front-end server (FES) and provided to the application. The prerequisite for all routing features is the identical service logic in the BESs for a certain service registration. It is not guaranteed to work when the service logic differs from BES to BES. Additional Information on SAP Gateway For more information on SAP Gateway, see ● SAP Gateway Community: https://community.sap.com/topics/gateway ● SAP Gateway Documentation: https://help.sap.com/nwgateway ● SAP Note 1560585 – SAP Gateway 2.0 Release Note ● SAP Note 1574568 – SAP Gateway Foundation and SAP Gateway 2.0 - Known Constraints ● SAP Note 1942072 – SAP Gateway 2.0 Support Package Stack Definition ● SAP Note 1986626 – Request could not be processed in soft state mode ● SAP Note 2512479 – SAP Gateway Foundation Support Package Stack Definition LESSON SUMMARY You should now be able to: 60 ● Explain OData ● Explain SAP Gateway ● Perform basic configuration steps for SAP Gateway ● Enable SAP Gateway soft state ● Configure SAP Gateway routing © Copyright. All rights reserved. Unit 1 Lesson 6 Describing Web Services in AS ABAP LESSON OVERVIEW A Web service is a standardized way of integrating web-based applications using the open standard XML over an Internet Protocol backbone. This lesson first explains some basic terms in the context of Web services. Then it explains the basic steps to create a Web service from an existing function module. Finally, there is a section on the transport of Web services in an SAP system landscape. Business Example Your company is running a heterogeneous system landscape using different technologies. They want to use Web services for data exchange between these different technologies. As an administrator, you want to know how you can configure your AS ABAP based SAP system so that it can provide Web services. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Name a use case for Web Services ● Explain the Web Service paradigm ● ● List the steps to create a Web Service from a function module using the inside-out approach List options to perform binding in the production environment Introduction Business processes are divided into process steps. You can assign one or more functions to each of these steps and an executing software component to each of these functions. In a typical heterogeneous (or even hybrid) system landscape in a company, the necessary functions in a global process are not all implemented using the same technology or the same components. The integration of an ever-increasing number of business partners, in particular, complicates this problem further. A modern software infrastructure must therefore be able to integrate functions that are implemented on different software components into an efficient global process. Internet technology provides the basis for calling and communicating with distributed services. Superimposed onto this simple, globally-accepted communication standard, XML provides the basis for defining additional necessary standards. Only when you move away from proprietary definitions and towards generally accepted standards, there is a guarantee of smoothly integrating all the functions and partners involved in the process. The result is Web services. The following figure shows the Ariba Procure-to-Pay scenario as an example that widely uses Web services: Here Web services are used to communicate with SAP Integration Suite (formerly known as SAP Cloud Platfrom Integration – CPI) on SAP Business Technology © Copyright. All rights reserved. 61 Unit 1: Administrating Technology Components for HTTP-based Communication Platform. SAP Integration Suite can be accessed with Web services both from AS ABAP based SAP systems and from the SAP Ariba side. Figure 54: SAP Ariba Procure-to-Pay with SAP Integration Suite as an Example for the Use of Web Services A Web service is an independent, modular, and self-describing application function or service. Based on XML standards, these application functions can be described, made available, located, transformed, or called using standard Internet protocols. Each Web service therefore encapsulates a function, which is used, for example, to forward a price query to a provider, check the availability of an item in a retail system, locate a telephone number, or run credit card checks, convert currencies, or execute payroll functions. The following figure shows the Web service paradigm: Figure 55: Web Service Paradigm 62 © Copyright. All rights reserved. Lesson: Describing Web Services in AS ABAP A service provider provides access to a service. If a service is a Web service, the service provider has a corresponding XML-based description that is a Web Services Description Language (WSDL) document. Any programming language can be used to implement the Web service. In a client/server relationship, the service provider can be regarded as the server. When publishing a service, the service provider transmits information about itself and a description of the service it offers to the service registry. A service registry is a type of yellow pages for Web services. A service registry provides, among other things, information about calling the Web service. It therefore provides only a description of the Web service. This description forms an abstraction layer, independent of the corresponding implementation. The Web service itself is hosted by the service provider. A Web service user is referred to as a service requester. A service requester can, for example, be someone who locates a Web service using a web browser and then uses the service. In most cases, however, the service requester is an application that accesses the Web service. The application can also bind to the service dynamically if required, that is, the application can dynamically create a Web service client proxy at runtime and use this proxy to access the Web service. The application obtains the necessary information for accessing the Web service from the service description. This information is then stored in the service registry. However, if the application knows the provider and the call details, it can use the Web service without having to access the service registry. In a client/server relationship, the service requester is the application client. Standards Web services can exist in any implementation. Therefore, a standardized description is required if Web services are to be called from any application. The WSDL best meets this demand. However, a Web services description in WSDL alone is not sufficient. To find the right business partner and corresponding service quotation, you need a service registry to help you to find the required service. The Web service provider must also be able to make its offer publicly available as easily as possible. The Universal Description, Discovery and Integration (UDDI) offers a solution. For more information, see http://uddi.xml.org. The following list explains some standards that are used with Web services: UDDI Registry (Universal Description, Discovery and Integration) With its UDDI Registry and UDDI specification, UDDI provides the necessary tools for making services public. The specification provides a detailed description of how to locate and register services. The UDDI Registry contains a list of registered Web services in WSDL format. The UDDI Registry does not store documents or specifications, but only references them. SOAP To call Web services based on Internet technologies, a suitable protocol definition is needed. SOAP has created a simple standard that allows Web services to be accessed in decentralized, distributed landscapes. SOAP specifies a package of XML documents for transport via Internet protocols such HTTP(S), SMTP, or FTP. SOAP defines a so-called envelope. In this envelope, you will find the actual XML-based message with a header and a body, as well as further information about how the message should be processed. WSDL (Web Service Description Language) WSDL is an XML-based description language for Web services. The WSDL Service definition includes the description of distributed systems and provides instructions for © Copyright. All rights reserved. 63 Unit 1: Administrating Technology Components for HTTP-based Communication automating data exchange between applications. The Web Service Description Language is used to describe Web services or electronic services in XML format. A service is defined as a collection of endpoints (ports) and the messages they work with. By using WSDL, a service provider can describe the requirements and features of their Web service so that a potential customer understands them and interacts properly with the service. Structure of a WSDL File The WSDL describes services as collections of network endpoints, or ports. The WSDL specification provides an XML format for documents for this purpose. The abstract definitions of ports and messages are separated from their concrete use or instance, allowing the reuse of these definitions. A port is defined by associating a network address with a reusable binding, and a collection of ports defines a service. The following figure gives an example on the structure of a WSDL file. Figure 56: Parts of a WSDL File The WDSL file consists of the following parts (see the figure above): ● ● ● 64 Definition: The definition element is the root element in which the different namespaces are defined. Types: Describes the data in XML format. Messages: A message typically corresponds to an operation. The message element consists of one or more logical parts. Each part element references a type that is defined in the types element. A part could represent for example a parameter of a message or a function call. © Copyright. All rights reserved. Lesson: Describing Web Services in AS ABAP ● ● ● Operation: Operation is an abstract term for the possible SOAP action of a Web service. Each operation consists of one to three messages in addition to the name: an input, an output and possibly a fault message. Port Type: Defines the operation of a Web services that can be performed. Binding: Defines the operation as well as the interface and the data format (SOAP, HTTPGET, and so on) ● Service: A set of similar connection points or address that is defined in the port element. ● Port: Defines the connection point or the address (URL) of a Web service. Creation of a Web Service Using the Inside-Out Approach There are two different development approaches for developing ABAP Web Services: InsideOut and Outside-In. ● ● With the Inside-Out approach, independent function modules that have been implemented as RFC-enabled function modules, as function groups, or as BAPIs are provided as a Web service. The Web service can be used across the entire Internet using standard protocols and can easily be added to any development environment. In the Outside-In approach, the development of Service Interfaces starts in a platform independent format, mostly XML. With the Enterprise Services Builder, SAP offers a tool, that supports the platform independent development of Service Interfaces. Connected application systems can read these interfaces. Using the ABAP Proxy technology, a developer can create an ABAP Object that consists of one or more ABAP Methods. Since development begins outside the application system, this approach is called Outside-In. Note: This lesson focuses on the Inside-Out approach. For more information concerning the Outside-In approach, see SAP training class BIT102 – SAP Integration Technology Interfaces II (Web Interfaces). The following figure explains how to create a Web service from an existing function module (such as Z_BAPI_FLIGHT_GETDETAIL): © Copyright. All rights reserved. 65 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 57: Creation of a Web Service Using the Inside-Out Approach This consists of the following three main steps: ● ● ● Step 1: ABAP Implementation: As a starting point, you need a function module (such as Z_BAPI_FLIGHT_GETDETAIL in the figure above). Among others, this function module consists of import and an export parameters (interfaces). These interfaces need to be used to make use of the functionality that this function module offers. Step 2: Create Web Interface – ABAP to XML: For the use with Web services, the input and output interfaces need to be provided in XML. The mapping of the ABAP structures (such as parameters) to XML will be done with the help of a generator which can be called from the Function Builder (transaction SE37) which in turn is part of the ABAP Workbench. As a result, you get the Service definition for the function module. Among others, this Service definition consists of an (abstract) WSDL and a first configuration. Step 3: Configuration in transaction SOAMANAGER: With the help of transaction SOAMANAGER, all necessary configurations are finally performed. This includes the creation of a concrete WSDL according to the WSDL 1.1. definition and the creation of a Service in transaction SICF so that the Web service can then be called. Tools For developing Web services at SAP, some tools are needed: ● ● ● For the implementation of the functionalities on the provider side and the call of these functionalities on the consumer side, you need the ABAP Workbench for the development. For the configuration of the Web service on the provider side and on the consumer side SAP offers transaction SOAMANAGER. For testing Web services SAP offers the Web Service Navigator (WSNavigator), which is a Web service client, implemented in Java. For developing Web services, SAP offers the transaction SOAMANAGER in the SAP back end, which allows you to configure Web services based on the Proxy Technology. You can use transaction SOAMANAGER for the complete configuration of service provider and consumer proxies for a local system. 66 © Copyright. All rights reserved. Lesson: Describing Web Services in AS ABAP Figure 58: SOAMANAGER - Initial Screen ● ● The Service Administration tab offers functionality to set up configuration to support business processes with Web services. This functionality is intended for business administrators who manage business processes across systems in a system landscape. To set up SOAMANAGER for local access, you do not need to perform any special steps. The Management Connections tab allows you to set up SOAMANAGER for remote access to other systems. The following prerequisites must be fulfilled to use transaction SOAMANAGER: ● ● ● You have administration authorization (as shipped in SAP roles SAP_BC_WEBSERVICE_ADMIN_TEC or SAP_BC_WEBSERVICE_CONFIGURATOR). In transaction SICF, you have activated the following nodes: - /sap/bc/srt (including sub nodes) - /sap/bc/webdynpro/sap/APPL_SOAP_MANAGEMENT The service and proxy definitions that you want to configure are available as development objects in the back-end system. Hint: If you want to work with transaction SOAMANAGER remotely (that is in a system landscape), you need to configure the communication between ABAP systems and to activate additional services under /sap/bc/webdynpro/sap in transaction SICF. Transport of Web Services The following figure shows how to handle Web services in a three-system landscape: © Copyright. All rights reserved. 67 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 59: Transport of Web Services The figure above shows that you need to distinguish between the Service definition and the configuration (binding) including the ICF Service: ● ● The Service definition (as well as the function module or BAPI) is developed in the development system. The changes are recorded in transport requests which are transported into the quality assurance system and the production system with the help of the Change and Transport System (CTS). The configuration (binding) has to be performed in every system individually with the help of transaction SOAMANAGER. This binding then also creates and activates the corresponding ICF service. For running SOAMANAGER, you have different options: - - Either you use SOAMANAGER locally on every system (that is: call transaction SOAMANAGER also on the QAS system and on the PRD system). Or you configure SOAMANAGER on a central system for the remote use as indicated on the figure above (that is: call SOAMANAGER on the central system and from there connect to the remote systems QAS and PRD). Additional Information For more information on ABAP Web services, see SAP training class BIT102 – SAP Integration Technology Interfaces II (Web Interfaces) and the online documentation for SAP S/4HANA (Product Assistance), for example: area Enterprise Technology → ABAP Platform → Developing on the ABAP Platform → Development Concepts and Tools → Application Development on AS ABAP → ABAP Development Tools – Eclipse → SAP (On Premise) – ABAP Web Services. For troubleshooting ABAP Web Services, SAP Note 2553979 – ESI - SOAP Web Services ABAP - Guided Answers may help. In addition, transaction SOAMANAGER offers a consistency check tool, see SAP Note 2353589 – Consistency Check for Soamanager. 68 © Copyright. All rights reserved. Lesson: Describing Web Services in AS ABAP LESSON SUMMARY You should now be able to: ● Name a use case for Web Services ● Explain the Web Service paradigm ● ● List the steps to create a Web Service from a function module using the inside-out approach List options to perform binding in the production environment © Copyright. All rights reserved. 69 Unit 1: Administrating Technology Components for HTTP-based Communication 70 © Copyright. All rights reserved. Unit 1 Lesson 7 Installing and Configuring SAP Web Dispatcher LESSON OVERVIEW The lesson highlights the use of the SAP Web Dispatcher and methods to operate it. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Describe basic functions of SAP Web Dispatcher ● Perform an installation of SAP Web Dispatcher ● Use the Web Administration interface ● Perform the configuration of SSL ● Perform the configuration of load balancing ● Describe additional functions of SAP Web Dispatcher Application Area of SAP Web Dispatcher SAP Web Dispatcher is SAP's reverse proxy and software load balancer. It filters, routes and distributes HTTP(S) requests across the systems and application servers in an application landscape. It is free of charge for SAP customers, low in TCO, yet high in performance and perfectly supports SAP systems and their load balancing and request routing features out of the box. SAP Web Dispatcher provides an easily consumable Web infrastructure solution for SAP solutions based on AS ABAP, AS Java or HANA XS or any other HTTP service. SAP Web Dispatcher usage is not mandatory (except for selected scenarios). Since HTTP is a standardized protocol, other Web infrastructure products can be used as well. For example, a hardware load balancer may be of advantage if investments in such infrastructure are already made or if very high performance requirements have to be met. Some SAP Web Dispatcher features are: ● ● Load balancing for SAP and non-SAP systems. SAP Web Dispatcher can serve as a single access point for one or multiple back-end systems. Automated configuration by fetching system configuration information from the back end system. ● Reverse proxy with request filtering, caching, request header modification, redirects. ● Request routing to back-end systems based on host, port or path (virtual hosting). ● Single Sign-On for on-premise SAP Fiori Launchpad and integrated cloud services. © Copyright. All rights reserved. 71 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 60: SAP Web Dispatcher – Overview Some of the usage scenarios of SAP Web Dispatcher are as follows: ● ● ● The Web applications are also to be used from the internet. The company network is protected by a Demilitarized Zone (DMZ) and the critical business processes run on servers that are not recognized on the internet. How can you avoid the need to place an SAP application server within the DMZ? The SAP system in question consists of multiple application servers (instances) that are distributed across multiple virtual or physical hosts. However, the Web applications provided should run under a descriptive address; technical details such as server name and port number are to remain hidden to users. Complex SAP Fiori landscapes may consist of one or more front-end servers and multiple back-end systems and possibly additional cloud services, like SAP Conversational AI. HTTP requests must be routed to one of these systems depending on URL properties of the request (host name, port, path, parameters). Requirements such as these can be implemented using third-party products known as reverse proxies or Web switches. Although there are advantages, such as high throughput and implementation in close proximity to the hardware, they must be offset against the disadvantages of additional costs and restricted SAP integration. SAP Web Dispatcher is a stand-alone program that you can run on a separate host or even on one of the application servers of an SAP system without depending on any additional software like a database. Hint: The internal structure of SAP Web Dispatcher is very similar to the ICM process. When it comes to the operation of SAP Web Dispatcher, you will discover some analogies to the ICM environment. 72 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Prerequisites for SAP Web Dispatcher SAP Web Dispatcher ultimately forwards an HTTP(S) request to a specific application server instance belonging to a specific system. This section outlines the criteria by which it is performed. An HTTP(S) request is processed in the following stages: 1. First, SAP Web Dispatcher determines which system should be selected for a given HTTP request based on criteria like the URL hostname or path prefix. 2. Then SAP Web Dispatcher performs additional tasks on the HTTP request like URL filtering, cache access, HTTP request rewriting. 3. Load balancing is then carried out between application server instances of the selected system. After SAP Web Dispatcher has identified an application server instance, it forwards the request to the ICM of the relevant application server instance. Metadata Exchange SAP Web Dispatcher receives information about the application servers, which it needs for load distribution, from the message server and application servers. The following list presents types of information: ● ● ● It gets server information (the list of servers that it can use for requests) from the message server. It gets information about the logon groups and URL mapping from an ABAP application server. SAP Web Dispatcher checks the availability of the application servers using ping requests to the application servers. SAP Web Dispatcher obtains information about the application servers of the SAP system from the message server via HTTP(S). You can use SAP Web Dispatcher for AS ABAP systems, AS Java systems, HANA XS systems and SAP Cloud Platform systems in some scenarios. The HTTP interface of the message server allows you to display information about the application server instances with a Web browser. To do so, enter the following URL: http(s)://<message server host>.<message server domain>:<message server http(s) port>/msgserver/text/logon?version=1.3. Prerequisites The prerequisites for operating the SAP Web Dispatcher are ● The SAP Web Dispatcher is able to contact the HTTP port of the SAP message server. ● The following ICF services are active: - /sap/public/icman - /sap/public/icf_info and all sub-services SAP Web Dispatcher Installation SAP Web Dispatcher is backwards compatible. This means that SAP Web Dispatcher release can be higher or the same as the SAP system (kernel) release. The patch level can also differ © Copyright. All rights reserved. 73 Unit 1: Administrating Technology Components for HTTP-based Communication from the patch level of the back-end system. The general rule is: always use the latest available SAP Web Dispatcher. SAP Note 908097 provides all the details. Figure 61: SAP Web Dispatcher – Supported Releases Different installation options are available for SAP Web Dispatcher: Figure 62: SAP Web Dispatcher Installation Options Provide executable and profile On the host on which SAP Web Dispatcher will be used, it is sufficient to provide the executable (name: sapwebdisp) and a profile file. The executable is the package 74 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher sapwebdisp.sar that you can download for various platforms from the SAP Support Portal (area SAP Technology Components). In addition, you need a profile, typically named sapwebdisp.pfl. For a list of profile parameters, see the online documentation. Running the command sapwebdisp pf=<profile file> is sufficient to start SAP Web Dispatcher. Hint: On servers based on Microsoft Windows, you can set up SAP Web Dispatcher as a Windows service with the command ntscmgr install sapwebdisp -b <program path>\sapwebdisp.exe -p "service pf=<profile file> <options>". Provide executable and use the -bootstrap option You can also start SAP Web Dispatcher without a profile file. For this bootstrap option (started with command sapwebdisp -bootstrap), the following steps are executed: 1. If the sapwebdisp.pfl profile file does not exist, it is created based on interactive entries. 2. If the icmauth.txt authorization file does not exist, it is created and a user is entered for Web Administration interface. 3. SAP Web Dispatcher is started with the profile file created. Running SWPM / SAPinst The tools for installing and updating SAP products are delivered with the Software Logistics Toolset (SL Toolset), which is updated several times a year, so you get the latest improvements and updates in time. In this manner, the SL Toolset delivers software logistics tool improvements on a continuous basis, independent from the SAP application product shipments. The SL Toolset is delivered in Support Package Stacks. Software Provisioning Manager (SWPM) is the successor of the product- and release-specific delivery of provisioning tools. It provides the latest SAPinst version with software provisioning services for several products and releases for all platforms, enabling you to profit directly from up-to-date procedures powered by a reliable tool available and used for years. Meanwhile, two versions of Software Provisioning Manager are available: ● Software Provisioning Manager 1.0 ● Software Provisioning Manager 2.0 Both versions can be used to install SAP Web Dispatcher. Note: In case you explicitly want to install the non-Unicode version of SAP Web Dispatcher, you have to use Software Provisioning Manager 1.0. © Copyright. All rights reserved. 75 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 63: Preparation: Download the Latest SP of SWPM To download the latest SWPM, open https://support.sap.com/sltoolset and navigate to System Provisioning → Download Software Provisioning Manager → SOFTWARE PROVISIONING MGR 2.0 → SUPPORT PACKAGE PATCHES → <Platform>. For more information about SWPM, see https://wiki.scn.sap.com/wiki/display/SL/Software +Provisioning+Manager+1.0+and+2.0. The SWPM-based installation of SAP Web Dispatcher requires the following SAP archives (.SAR files): ● SAP Web Dispatcher ● SAP Host Agent Figure 64: Preparation: Download SAP Web Dispatcher Archive 76 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher To download the latest SAP Web Dispatcher archive, open https://support.sap.com/swdc and navigate to Support Packages & Patches → Access downloads → Support Packages & Patches → By Category → SAP Technology Components → SAP Web Dispatcher → SAP Web Dispatcher <Release> → <Platform>. Figure 65: Preparation: Download SAP Host Agent Archive To download the latest SAP Host Agent archive, open https://support.sap.com/swdc and navigate to Support Packages & Patches → Access downloads → Support Packages & Patches → By Category → SAP Technology Components → SAP Host Agent → SAP Host Agent 7.22 → <Platform>. Figure 66: Starting SWPM © Copyright. All rights reserved. 77 Unit 1: Administrating Technology Components for HTTP-based Communication The sapinst executable can be launched with many command line options. To see all of them, enter sapinst -p. The option to install an SAP Web Dispatcher is located at Generic Options → SAP Web Dispatcher → SAP Web Dispatcher (Unicode) (the path may vary, depending on the SWPM release). Figure 67: Input in Dialog Phase (Mode=Typical) SWPM offers two options for Parameter Mode, Typical or Custom. The figure lists dialogs of SWPM when being executed in Parameter Mode = Typical. To access the installations guides for SAP Web Dispatcher, open the Guide Finder for SAP NetWeaver and ABAP Platform at https://help.sap.com/viewer/nwguidefinder and search for dispatcher. Note the proper operating systems and SWPM version. Profile Parameters For templates for the profile and parameter descriptions, see the online documentation. SAP Web Dispatcher must know the port at which it is to receive HTTP(s) requests on which host and with which HTTP(S) port it can access the message server (both is set using SAP Web Dispatcher profile parameter wdisp/system_<xx>). Note: If metadata is to be exchanged through HTTPS, additional steps are required (see the online documentation). Configuration Check You can check the configuration of SAP Web Dispatcher to ensure that your settings will work when the Dispatcher is running. To do so, start SAP Web Dispatcher from the command line with the command: sapwebdisp pf=<profile> -checkconfig. This verifies the following items: ● 78 If the configuration of the maximum number of sockets in the Operating System permits the required number of configured connections. © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher ● ● ● ● ● If the information about the application servers is configured in a file and in the wdisp/ server_info_location parameter. Check the syntax and semantics of this file. If the information about the application servers is configured in the message server: - Test the connection to the HTTP port of the message server. - Check the data from the message server with the configured URL. If the connection to all the application servers is found. If the file is configured with the wdisp/group_info_location, do a syntactic/semantic check of the group file. Otherwise, check the data from an application server with the configured URL (/sap/public/icf_info/icr_groups). Check that the ICF nodes are activated. If the file is configured with the wdisp/url_map_info_location, do a syntactic/semantic check of the group file. Otherwise, check the data from an application server with the configured URL (/sap/public/icf_info/icr_urlprefix). Check that the ICF nodes are activated. Software Update If you want to update your SAP Web Dispatcher installation, download the SAP Web Dispatcher archive (for the proper operating system and major release) at https:// support.sap.com/swdc, path Software Downloads → Support Packages & Patches → By Category → SAP Technology Components → SAP Web Dispatcher → SAP Web Dispatcher <Release> → <Platform> . Unpack that file (by executing sapcar -xvf <sapwebdisp.sar file>) to the proper directory and (re)start SAP Web Dispatcher. Continue as described in SAP Note 908097 (the procedure is similar to a kernel update). Hint: You can determine the current version of your SAP Web Dispatcher installation as follows: ● By executing sapwebdisp -v ● By analyzing the most recent developer trace file (by default, dev_webdisp) ● By launching the “Version Info” dialog in SAP MC or SAP MMC Web Administration Interface SAP Web Dispatcher offers a browser-based Web Administration interface for administration and monitoring purposes. To use this, the following prerequisites must be observed: ● Define the icm/HTTP/admin_<xx> parameter in the SAP Web Dispatcher profile. For example, icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR DATA)$(DIR SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=8008. The command sets the URL prefix for the administration to /sap/wdisp/admin and the path for some control files to ./admin © Copyright. All rights reserved. 79 Unit 1: Administrating Technology Components for HTTP-based Communication Note: Using this parameter, the access to the Web Administration interface can be further restricted to a port (for example, the SSL port), a local host name (for example, "localhost"), or an external host name (then the Web Administration interface can only be accessed from this host). You can also authenticate yourself for the Web Administration interface with a backend (ABAP) user using the AUTHFILE=backend option of this parameter. For details and restrictions , see SAP note 2011786 – ICM / Web Dispatcher Admin UI Authentication via Backend. ● ● Specify this port with icm/server_port_<xx> as the inbound port. Create an authorization file icmauth.txt with an administrative user and (hashed) password. Note: Run wdispmon -a to check or modify the content of icmauth.txt. ● Ensure that the directory specified by DOCROOT (after SAP Web Dispatcher has been started for the first time) contains the files for the Web Administration interface. Note: You can also unpack the wdispadmin.SAR archive manually into a subdirectory with the name admin by calling sapcar -xvf wdispadmin.SAR. Figure 68: Functions of the Web Administration Interface Functions of the Web Administration Interface The following list shows the Web Administration interface functions: ● 80 SAP Web Dispatcher monitoring © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher ● Display parameter settings ● Statistics ● Evaluation of trace files ● User administration ● Maintenance mode Enter the Web Administration interface using the following URL: http(s)://<SAP Web Disp host and domain>:<SAP Web Disp admin port>/ <admin prefix> The <Admin prefix> section is defined through the assignment for PREFIX of the profile parameter icm/HTTP/admin_<xx>; the default value is/sap/wdisp/admin. Note: For security reasons, use the HTTPS protocol for administration. If you use HTTP, administrator passwords are transferred without encryption and can be tapped. Additionally, implement the option to bound SAP Web Dispatcher Web Administration to a dedicated port and localhost only. Once you have logged on successfully, the administration and monitoring interface displays. It is divided into a navigation area (left side) and a detail area (right side). Note: You can also monitor and administrate SAP Web Dispatcher with the wdispmon command line program (the usage is similar to the icmon command line tool. Parameterization of SAP Web Dispatcher Introduction Similar to the ICM process, SAP Web Dispatcher is configured using parameters. The default values are selected so that you do not have to make any changes to these parameters. You determine the point of access to your SAP system using parameter icm/server_port_<x>. You can use the parameters to adapt the configuration to specific system requirements. Since the SAP Web Dispatcher connects itself to the SAP message server and communicates with it via HTTP, parameter wdisp/system_<x> must be set correctly in the SAP Web Dispatcher profile. Note: For a complete list of those parameters, see the online documentation, topic SAP Web Dispatcher: Parameter References. © Copyright. All rights reserved. 81 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 69: Variants to Set Parameters for SAP Web Dispatcher You have multiple options to change parameters of SAP Web Dispatcher. Change Profile and (Re)start SAP Web Dispatcher One option is to change a parameter in the instance profile of SAP Web Dispatcher with a text editor of your choice. Use one of the following tools to start a stopped SAP Web Dispatcher: ● SAP Management Console (SAP MC) ● SAP Microsoft Management Console (SAP MMC) ● command line tool sapcontrol (option -function StartSystem ALL) ● command line tool sapwebdisp (option pf=<InstanceProfile>) Use one of the following tools to restart a running SAP Web Dispatcher: ● SAP Management Console (SAP MC) ● SAP Microsoft Management Console (SAP MMC) ● command line tool sapcontrol (option -function RestartSystem ALL) ● command line tool sapwebdisp (option pf=<InstanceProfile>) ● Web Administration interface of SAP Web Dispatcher (Shutdown or Soft Shutdown) Change Profile and Reconfigure SAP Web Dispatcher An alternative approach is to reconfigure a running SAP Web Dispatcher after you changed a parameter in its instance profile. As a prerequisite, ensure that parameter wdisp/ config_reload is set to TRUE (the default value is FALSE). To trigger the reconfiguration of a running SAP Web Dispatcher issue the following command at command line level: sapwebdisp pf=<InstanceProfile> -reconfig profile 82 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Change Parameter using the Web Administration Interface The Web Administration interface also allows you to change parameters. To do so, navigate to Core System → Parameters → Edit Parameters. After entering a parameter Name, choose Get Value. In case of a valid entry, a short Description and the Type of the parameter is displayed. Many, but not all parameters are dynamically changeable. In case of a dynamically changeable, you have the option to change it temporarily. Similar to a change of a dynamic parameter in AS ABAP (transaction RZ11), the change is being applied immediately, but lost after a restart of SAP Web Dispatcher. If you choose to change the parameter permanently, the change is applied to the instance profile of SAP Web Dispatcher. Also, a backup of the former instance profile is created (in the backup sub-directory of the profile path). In case of a dynamically changeable parameter, the change is also applied to the running SAP Web Dispatcher. Cryptography Fundamentals Introducing Cryptography Cryptography is the science of encrypting information. Why is this a very important topic in today's IT world? The standard protocol used for transporting http requests, TCP/IP, is a potentially insecure transport mechanism. Everyone connected to a specific network is able, with more or less effort and knowledge, to listen to the packages and its content transferred with the IP protocol in that network. This vulnerable protocol makes it necessary to encrypt the transferred data itself. For a better understanding we describe here a possible attack against the TCP/IP protocol and the data transferred with this protocol. Figure 70: Threat: Eavesdropping In the above example, Alice (1) initiates a communication with Bob and requests some data about customers from him. Bob gathers the requested data and responds to Alice's request (2). The entire exchange is eavesdropped by Mallory. He now knows about the information that was discussed (3). © Copyright. All rights reserved. 83 Unit 1: Administrating Technology Components for HTTP-based Communication In the context of TCP/IP, Alice (stands for a Web browser), for example, requests some data via an http request that is transferred via the TCP/IP protocol. The server (here represented by Bob) responds and transfers some sensitive customer data from the server to the client via the TCP/IP protocol. Mallory, an attacker, is on the same network and therefore is able to eavesdrop on this TCP/IP communication. The solution for securing this communication is the encryption of the transferred data; this involves making the conversation impossible for the attacker to understand but making it understandable to the participants involved in the conversation only. Figure 71: Protection: Encryption Encryption Methods Encryption itself is based on mathematical operations. A key therefore has to be exchanged between the communication partners in order to have a computable basis for encrypting and decrypting information. There are three different methods for exchanging these keys. Figure 72: Encryption Methods 84 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Symmetric Key Encryption is the classical cryptography method for encrypting and decrypting messages. In this case, both the sender and receiver of a message share a “secret” called a secret key. The sender uses this key to encrypt the message. The receiver also uses this key to decrypt the message. Figure 73: Symmetrical Encryption The shared secret is called a secret key. It consists of a value of a certain length, 256 bits for example. These encryption algorithms are in widespread use and are employed in most Web browsers and Web servers. Typical Symmetric Key Encryption Algorithms include: ● Digital Encryption Standard (DES) ● Triple DES ● Advanced Encryption Standard (AES) ● International Data Encryption Algorithm (IDEA) ● RC4 ● RC5 ● Blowfish Asymmetric Key Encryption uses a different algorithm than Symmetric Key Encryption. Asymmetric Key Encryption uses a key pair that consists of a private and a public key. These keys belong to each other. A message that is encrypted with the public key can only be decrypted with the matching private key. The public key can be made public. The owner of the key pair “publishes” the public key and can distribute it as required. The private key must be kept secret. © Copyright. All rights reserved. 85 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 74: Asymmetrical Encryption The person who is sending a confidential message uses the recipient‘s public key to encrypt the message. Only the recipient can then decrypt the message using his or her private key. A typical public key encryption algorithms is ● RSA (Rivest, Shamir, Adleman), ● Diffie-Hellman. Disadvantages of Public Key Encryption: ● ● ● It is slower than Symmetrical Key Encryption. Encryption is only possible in one direction with a single key pair. Alice can encrypt a message to send to Bob, but not the other way round. If Alice also has a key pair, then Bob can send her an encrypted message. However, there is an easier way. Hybrid Encryption Process is the combination of both above explained encryption processes. The Hybrid Encryption Process make use of the advantages of both process types. For the better understanding we describe this process in the following example. 86 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Figure 75: Hybrid Encryption Process: 1. The client (browser) contacts the ICM process respectively SAP Web Dispatcher. 2. The Application Server responds and sends its Public Key. 3. Client-side a Secret Key is created and encrypted with the Public Key the server sent before. 4. The client sends back the encrypted Secret Key. 5. On the server the Secret Key is decrypted using the Private Key. Only the server can decrypt the received Secret Key because it holds the Private Key which is necessary for the decryption. 6. The communication partners perform a "Handshake"; they shake hands. 7. Further communication between the client and the server is encrypted using the Secret Key. Authentication and Digital Signatures In the first part of this lesson we described a possible attack on the transport protocol and what can be done to secure this communication. But what happens if Mallory interferes with the communication and pretends to be Bob? He may even provide Alice a public key, saying that is Bob's key. The question is how can we make sure that Alice is really communicating with Bob and therefore the public key she received is really Bob's public key? © Copyright. All rights reserved. 87 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 76: Threat: Masquerading The problem is also covered by cryptography and is called Authentication. Authentication normally takes place using the user ID and password. But with cryptographic mechanisms it is possible to authenticate communication partners, by means of verifying that the communication partner is the one she or he pretends to be. The basis for the authentication of communication partners are Digital Certificates. Figure 77: Protection: Authentication Understanding Digital Certificates and Digital Signatures The digital certificate is the individual's "digital identity card" on the Internet. Compared to the "real world", digital certificates can be compared to a passport which contains information about owner, issuer, serial number, and validity period. The format of the certificate is specified by the X.509 standard for digital certificates. 88 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Figure 78: Digital Certificates (X.509) Beneath some general information the certificate contains also the public part of the key pair whereas the private key is not included in the certificate. The private key must be kept in a safe place. The certificate is issued to a person or server by an authorized entity called a Certification Authority (CA). The CA ensures by digitally signing the certificate that the public key, which matches to a private key, belongs to a specific person or server. Thus, the CA ensures that the certificate cannot be "faked". The complete infrastructure that manages the issue and verification of certificates is called the Public Key Infrastructure (PKI). Figure 79: Certification Authority Examples of well-known Certification Authorities: ● Verisign Inc. ● TC Trust Center © Copyright. All rights reserved. 89 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 80: Certificate Enrollment The certification of digital certificates is performed, for example, as follows: 1. A public and private key pair is generated on the server. 2. The public key is sent to the CA (it is called a Certificate Signing Request, or CSR). 3. The CA digitally signs the server's public key and sends it back to the requestor. 4. Import of the CSR response, the digitally signed certificate, into the server. Different CAs use different policies, on how to check the identity of a person or system, before issuing a digital certificate. The server is now sending the digitally signed certificate, which includes the public key, to the communication partner. This kind of authentication is called Server Authentication. But how can the communication partner ensure that the digitally signed certificate is signed from a trusted CA? The communication partner has to have a trust relationship to the CA which issued the certificate. Technically this can be achieved by importing a digital certificate of the institution (CA) issued the certificate for the server. This is the so-called root certificate. The most common root certificates are pre-installed in most Web browsers. 90 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Figure 81: Trust Relationship Securing HTTP communication using Secure Socket Layer (SSL) In the previous sections you learned the fundamentals of Cryptography, Authentication and Digital Certificates. These technologies are also fundamental to securing the HTTP communication. Secure Socket Layer (SSL) is a transparent protocol enhancing other protocols having no security functionalities. SSL is not an HTTP-specific protocol but a protocol used between the TCP layer and application protocols like LDAP, SMTP, HTTP and so on. An HTTP application protocol that has been extended by SSL has the protocol identification HTTPS in the URL. Hint: To be more precise, SAP Web Dispatcher (and the ICM) supports Transport Layer Security (TLS) which is the successor of SSL. But as – at least up to now – the term SSL is more common than TLS, this lesson (an the online documentation) still uses the term SSL instead. SSL uses a Hybrid Encryption method and provides besides data encryption the following authentication mechanisms: ● Server authentication ● Client authentication ● Mutual Authentication To use SSL for server authentication, the ICM process respectively SAP Web Dispatcher possesses a private and public key pair. © Copyright. All rights reserved. 91 Unit 1: Administrating Technology Components for HTTP-based Communication Figure 82: SSL: Server Authentication 1. Alice contacts the ICM process respectively SAP Web Dispatcher using a browser. 2. The Application Server responds and sends its Public Key with a digitally-signed message. The client-side server's identity is verified by checking the validity of the certificate. The certificate is only accepted if the client trusts the CA that issued that certificate to the ICM process respectively SAP Web Dispatcher. This is done with the CA root certificate. 3. The Secret Key is created and encrypted with the Public Key the server sent previously. 4. The client sends back the encrypted Secret Key. 5. On the server the Secret Key is decrypted using the Private Key. Only the server can decrypt the received Secret Key because it holds the Private Key that is necessary for the decrypting. 6. The communication partners perform a handshake. 7. Further communication between the client and the server is encrypted using the Secret Key. Using SSL with an Intermediary Server You can also use SSL for connections where an intermediary server is used. An intermediary server may be a Web proxy or the SAP Web Dispatcher. A typical scenario is to place the intermediary server in the DMZ and the AS ABAP in the intranet zone. The servers that are supported for use with AS ABAP are: 92 ● SAP Web Dispatcher ● Microsoft Internet Information Server (IIS) with an IIS proxy module from SAP ● Other products (for example, the Apache Web Server) © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Figure 83: SAP Web Dispatcher and SSL – Use Cases The first connection type shown above does not use SSL at all. Therefore, you only need to set the port to HTTP. No extra configuration is needed. For the second connection type, the request is terminated at SAP Web Dispatcher. The incoming connection uses HTTP and the outgoing connection uses HTTPS. Therefore, you must configure SAP Web Dispatcher as an SSL client. For the third connection type, the request is terminated at SAP Web Dispatcher. The incoming connection uses HTTPS and the outgoing connection uses HTTP. Therefore, you must configure SAP Web Dispatcher as an SSL server. For the fourth connection type, the request is terminated at SAP Web Dispatcher. Both the incoming connection and the outgoing connection use HTTPS. Therefore, you must configure SAP Web Dispatcher as an SSL server and an SSL client. © Copyright. All rights reserved. 93 Unit 1: Administrating Technology Components for HTTP-based Communication SAP Web Dispatcher in SSL Server Role Figure 84: SAP Web Dispatcher in SSL Server Role We will now consider how to configure SAP Web Dispatcher in an SSL server role. Figure 85: SAP Web Dispatcher and SSL - Tools We recommend that you use the Web Admin UI of SAP Web Dispatcher to configure SSL support. As a high-level overview, these are the required steps to configure SAP Web Dispatcher for SSL when the connection is terminated and SSL is used: 1. Create the SAP Web Dispatcher's Personal Security Environments (PSE(s)) and certificate request(s). Create an SSL server PSE if the incoming connections use SSL. Create an SSL client PSE if the outgoing connections use SSL. Create both if both connections use SSL. 94 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher To create an SSL server PSE with Subject Alternative Name (SAN), refer to SAP Note 2502649 Creating certificates with Subject Alternative Name (SAN) through the Web Admin page. 2. Perform the following steps for each of the PSEs that you created in the previous step: a. Send the certificate request(s) to a CA to be signed. b. Import the certificate request response(s) into the PSE. c. Create credentials for SAP Web Dispatcher. 3. For SSL outbound connections, import a CA root certificate into the SSL client PSE of SAP Web Dispatcher. Use the same CA root certificate for the CA that issued the SSL server certificate to the AS ABAP application server. 4. Set the profile parameters according to the case you are using. 5. Restart SAP Web Dispatcher. 6. Test the connection. For details, see the online documentation for SAP NetWeaver resp. ABAP Platform. Addendum: URL Generation in an AS ABAP – SAP Web Dispatcher Configuration In a simple system landscape the AS ABAP and the browsers are usually located in the same network. In this case, the browser can access the AS ABAP server directly using its configured name. Conversely, if the AS ABAP has to generate an absolute URL for the browser, it can use its configured name to generate the URL. In more complex system landscapes a reverse proxy server, for instance, the SAP Web Dispatcher, is used in the network. This happens, for example, if the reverse proxy server is visible in the Internet and the AS ABAP is located behind a firewall. In this case the browser uses the name of the reverse proxy server when it is communicating with the server. Or the other way around: it is not possible for the AS ABAP to use its own configured name to generate absolute URLs. The URL must contain the name and port of the reverse proxy server (that is, the name and port of the unit with which the browser communicates). The configuration table HTTPURLLOC can then be used to describe how a URL is to be generated. For more information, see SAP Note 750292 – BSP: URL Generation in a config of WebAS with Web Dispatcher which also contains a link to the online documentation. © Copyright. All rights reserved. 95 Unit 1: Administrating Technology Components for HTTP-based Communication SAP Web Dispatcher in SSL Client Role Figure 86: SAP Web Dispatcher in SSL Client Role If SAP Web Dispatcher also uses SSL for the connection to the AS ABAP system (reencryption), then it also needs to possess a key pair to use for this connection. This information is stored in its SSL client PSE. Figure 87: Trust with AS ABAP – Based on a Common Certification Authority (CA) You have different options to establish a trust between SAP Web Dispatcher and an AS ABAP system. One approach is that you export the SSL server certificate from the AS ABAP system and import it to the SAP Web Dispatcher client PSE. However, a more convenient approach is that you have a common Certification Authority (CA) in place. ● 96 Use this CA to sign the SSL server certificate of AS ABAP (transaction STRUST). © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher ● Import the root certificate of the same CA into the SAP Web Dispatcher client PSE. As of SAP Web Dispatcher 7.53, you can establish the trust with an AS ABAP-based back-end system completely in the Web Admin UI (a separate download of the respective certificate is not necessary anymore). To do so, use the feature in the Web Admin UI available at <SID of SAP system> → Monitor Application Servers → <application server menu (column Name)> → Establish Trust. Here you can choose the certificate to establish the trust (Root Certificate, Issuer Certificate(s) or Peer Certificate). Additional information For more information, see https://wiki.scn.sap.com/wiki/display/SI/How+to+Configure +SAP+Web+Dispatcher+to+Trust+Backend+System+SSL+Certificate. Load Balancing SAP Web Dispatcher routes and distributes incoming HTTP(S) requests to an appropriate application server instance. The next figure illustrates the distribution in a simplified way, also not covering an AS Java as back end system. Figure 88: HTTP(S) Request to the Application Server Instance (Simplified) In case of a stateful connection, SAP Web Dispatcher selects the application server instance that is processing the transaction. In case of a new request or a stateless connection, SAP Web Dispatcher checks if the called prefix is assigned to a logon group. Use transaction SMLG to create logon groups, and transaction SICF to assign them to ICF services or external aliases. In case no logon group was assigned to the requested prefix, SAP Web Dispatcher uses one of the following build-in logon groups: ● ● !DIAGS for https requests (made of all application server instances with a running ICM process offering the https protocol) !DIAG for http requests (made of all application server instances with a running ICM process offering the http protocol) © Copyright. All rights reserved. 97 Unit 1: Administrating Technology Components for HTTP-based Communication Both static and dynamic elements are used for load balancing with the SAP Web Dispatcher. SAP Web Dispatcher provides various procedures for load balancing with a logon group. The capacity of an application server is an important factor. The capacity is a measure of the “power” of an application server – in case of AS ABAP, the calculation is based on the number of dialog work processes. You can see what capacity of SAP Web Dispatcher is used for load balancing in the Web Administration interface under Monitor Server Groups in column Capacity. Here you can also overwrite the capacity value using the right mouse button. The changes are lost when SAP Web Dispatcher is restarted. Hint: HTTP load balancing using the message server is deprecated. Use SAP Web Dispatcher instead. For more information, see SAP Note 1040325 HTTP load balancing: Message server or Web Dispatcher? Multiple Systems Support Multiple Systems SAP Web Dispatcher supports multiple SAP (backend) systems (and non-SAP Web servers) out of the box. You do not have to set up, configure, or wait for an SAP Web Dispatcher for each system; you can use a common SAP Web Dispatcher for all systems. This must then be configured for all connected systems. You can separate the requests using one of the various mechanisms, or a combination of mechanisms configured using subparameters of parameter wdisp/system. Host Name (subparameter SRCVHOST) Requests are forwarded to the configured system if the host name in the URL matches the host name specified in SRCVHOST. URL path prefix (subparameter SRCURL) Requests are forwarded to the configured system if the URL path prefix matches the URL path prefix specified in SRCURL. Access point (IP address (or host name) and port) of SAP Web Dispatcher (subparameter SRCSRV) Requests are forwarded to the configured system if SAP Web Dispatcher IP address and port where the request was received match the access point specified in SRCSRV. In most scenarios SRCVHOST and SRCURL are sufficient to perform the system selection. If the system selection cannot be performed using the subparameters listed above, it is possible to perform system selection in the HTTP modification handler by setting header field X-SAP-WEBDISP-TARGET-SID. 98 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Figure 89: Mechanisms for Multiple Back-End Systems For each back-end system, add a wdisp/system_<xx> line to SAP Web Dispatcher profile. For example: wdisp/system_0 = SID=ECC, MSHOST=ms_ecc.wdf.sap.corp, MSPORT=8104, SRCVHOST=ecc.acme.com wdisp/system_1 = SID=NWP, MSHOST=ms_nwp.wdf.sap.corp, MSPORT=8134, SRCVHOST=nwp.acme.com For each incoming request, SAP Web Dispatcher uses the configured criteria and the setting of wdisp/system_<xx> to check which system the request can go to. If the criteria are met by more than one system, the behavior is determined by the parameter wdisp/ system_conflict_resolution. For more information and examples, see the online documentation. Note: In a multiple system scenario, SAP Web Dispatcher ignores the profile parameters rdisp/mshost and ms/http_port (to avoid confusion, you can comment them out or even delete them). Further Functions SAP Web Dispatcher offers further functions, which are not covered in this lesson. Some of them are: URL filtering You can define URLs that you want to be rejected, and, by doing so, restrict access to your system. Web caching You can use SAP Web Dispatcher as a Web Cache to improve the response times and to conserve the application server cache. Request rewriting © Copyright. All rights reserved. 99 Unit 1: Administrating Technology Components for HTTP-based Communication You can rewrite HTTP requests (and responses), for example to add or modify HTTP header fields. SLD registration You can configure SAP Web Dispatcher to register at a System Landscape Directory (SLD). Mitigation of Denial of Service (DoS) Attacks Denial of Service (DoS) attacks are intentional or accidental attacks through an external third party towards resources of the Application Server ABAP. DoS attacks can impact the availability or performance of services caused by excessive use by one or more users. The aim of Denial of Service (DoS) protection measures is to make the AS ABAP more robust towards server overload caused by excessive use, and to differentiate DoS attacks from legitimate use. However, complete protection is impossible because there is no clear distinction between legitimate and excessive use. The server can be protected from DoS attacks by preserving server integrity and responsiveness for single-user attacks and increasing the potential cost of attacks. This can be achieved on multiple lines of defense: ● Limit connections per client IP to protect SAP Web Dispatcher and back-end system resources ● Limit concurrent requests for every back-end system (sum of all application servers) ● Limit application server resources for each user Figure 90: Mitigation of Denial of Service (DoS) Attacks 100 © Copyright. All rights reserved. Lesson: Installing and Configuring SAP Web Dispatcher Limit connections per client IP to protect SAP Web Dispatcher and back-end system resources SAP Web Dispatcher can be protected from Denial of Service (DoS) attacks by limiting the number of connections from a single IP address. For every network connection that is established, the number of existing connections per client IP address is checked. To see an overview of the top 25 consumers, including information about the number of active connections and time of last warning and rejection, call up SAP Web Dispatcher Administration UI and navigate to Core System → Client IP Top Consumer. Profile parameter icm/client_ip_connection_limit contains sub-parameters WARN and REJECT to specify the limits for connections from a single IP address. The values determined for these subparameters are percentage shares of the maximum number of connections that is specified by icm/max_conn. The default values are set to 90 and 100. If the limit for WARN is exceeded, the SAP Web Dispatcher creates a system log (Message ID IMA) and trace entry. To prevent the system log from an overload of entries, only one entry per minute is created. If the limit for REJECT is reached, the SAP Web Dispatcher terminates the connection and creates a system log entry (Message ID IMB). Note: This mechanism is available for both the ICM and SAP Web Dispatcher. Limit concurrent requests for every back-end system (sum of all application servers) The back-end system of Application Server ABAP can be protected from Denial of Service (DoS) attacks by limiting the number of concurrent requests that SAP Web Dispatcher forwards to the back-end system. That way, an overload from an untrusted request source can be avoided.The number of concurrent requests is roughly equal to the number of ABAP work processes that are occupied with processing these requests. To monitor information about pending requests that have not yet been answered by the backend system, call up SAP Web Dispatcher Administration UI and go to menu Dispatching Module → Backend System pending Request Info . Profile parameter wdisp/system contains subparameters PENDING_REQUEST_LIMIT_WARN and PENDING_REQUEST_LIMIT_REJECT to specify the limits for concurrent requests in each back-end system.The values determined for these subparameters are absolute numbers. By default, this feature is disabled and has to be configured by the administrator. If the limit for PENDING_REQUEST_LIMIT_WARN is exceeded, SAP Web Dispatcher creates both a system log (Message ID IMC) and trace entry. If the limit for PENDING_REQUEST_LIMIT_REJECT is exceeded, SAP Web Dispatcher returns status code 503 Service Unavailable and creates a system log entry (Message ID IMD). Note: This mechanism is available for SAP Web Dispatcher only. © Copyright. All rights reserved. 101 Unit 1: Administrating Technology Components for HTTP-based Communication Limit application server resources for each user You can limit the resources consumed by a single user in application server instances of AS ABAP. This is configured using parameter rdisp/user_resource_limit. The parameter also has sub-parameters WARN and REJECT with respective values. These values are percentages. 100 stands for the entire amount of a resource available. If the WARN limit is reached, syslog and trace entries are written (with flooding prevention). If the REJECT limit is reached, a system log entry with key R2K is written and the session is cancelled. Note: This mechanism is available for AS ABAP only. Additional Information on SAP Web Dispatcher ● ● SAP S/4HANA 2021 online documentation (Product Assistance), area Enterprise Technology → ABAP Platform → Application Server ABAP - Infrastructure → Components of Application Server ABAP → SAP Web Dispatcher https://wiki.scn.sap.com/wiki/display/SI/SAP+Client-Server+Technology, area Web Dispatcher ● SAP Note 538405 SAP Web Dispatcher: composite note ● SAP Note 552286 Troubleshooting for the SAP Web Dispatcher ● SAP Note 1040325 HTTP load balancing: Message Server or Web Dispatcher? ● SAP Note 908097 SAP Web Dispatcher: Release, Installation, Patches, Documentation ● SAP Note 1708601 Inst. Web Dispatcher SAP NetWeaver 7.1 and Higher ● SAP Note 1282692 Displaying logon groups in SAP Web Dispatcher and J2EE stack ● SAP Note 2007212 Tuning SAP Web Dispatcher and ICM for high load ● ● SAP Note 2502649 Creating certificates with Subject Alternative Name (SAN) through the Web Admin page for installation guides, open the Guide Finder for SAP NetWeaver and ABAP Platform at https://help.sap.com/viewer/nwguidefinder and search for dispatcher LESSON SUMMARY You should now be able to: 102 ● Describe basic functions of SAP Web Dispatcher ● Perform an installation of SAP Web Dispatcher ● Use the Web Administration interface ● Perform the configuration of SSL ● Perform the configuration of load balancing ● Describe additional functions of SAP Web Dispatcher © Copyright. All rights reserved. Unit 1 Learning Assessment 1. Which of the following technology components for HTTP–based communication can be used together with an SAP S/4HANA system? Choose the correct answers. X A SAP Internet Transaction Server (SAP ITS), standalone X B SAP Internet Transaction Server (SAP ITS), integrated X C Internet Communication Manager (ICM) X D SAP Web Dispatcher 2. Which of the following statements about Internet Communication Manager (ICM) are correct? Choose the correct answers. X A Similar to the number of work processes of a certain type, you can use an instance profile parameter to specify the number of ICM processes that are started for each ABAP dispatcher. X B It is recommended that you operate a separate ICM for each client in an AS ABAP based SAP system. X C ICM has replaced the Java Dispatcher process as of SAP NetWeaver AS Java 7.10. X D ICM can support communication protocols like HTTP, HTTPS and SMTP. 3. The creation of ICF Web service nodes with the help of transaction SOAMANAGER in the development system is recorded in transport requests. The ICF service nodes then are imported into subsequent systems with the help of the Change and Transport System (CTS). Determine whether this statement is true or false. X True X False © Copyright. All rights reserved. 103 Unit 1 Learning Assessment - Answers 1. Which of the following technology components for HTTP–based communication can be used together with an SAP S/4HANA system? Choose the correct answers. X A SAP Internet Transaction Server (SAP ITS), standalone X B SAP Internet Transaction Server (SAP ITS), integrated X C Internet Communication Manager (ICM) X D SAP Web Dispatcher Correct: With an SAP S/4HANA system, you can use the integrated SAP ITS, the ICM and SAP Web Dispatcher. The standalone SAP ITS is not supported with SAP S/4HANA. 2. Which of the following statements about Internet Communication Manager (ICM) are correct? Choose the correct answers. X A Similar to the number of work processes of a certain type, you can use an instance profile parameter to specify the number of ICM processes that are started for each ABAP dispatcher. X B It is recommended that you operate a separate ICM for each client in an AS ABAP based SAP system. X C ICM has replaced the Java Dispatcher process as of SAP NetWeaver AS Java 7.10. X D ICM can support communication protocols like HTTP, HTTPS and SMTP. Correct. As of SAP NetWeaver AS Java 7.10, the ICM has replaced the Java Dispatcher process. In addition, the ICM supports protocols like HTTP, HTPS and SMTP. 104 © Copyright. All rights reserved. Unit 1: Learning Assessment - Answers 3. The creation of ICF Web service nodes with the help of transaction SOAMANAGER in the development system is recorded in transport requests. The ICF service nodes then are imported into subsequent systems with the help of the Change and Transport System (CTS). Determine whether this statement is true or false. X True X False Correct. The creation of ICF Web service nodes is not recorded in transport requests. The ICF Web service nodes need to be created in every system of a system landscape individually with the help of transaction SOAMANAGER. © Copyright. All rights reserved. 105 Unit 1: Learning Assessment - Answers 106 © Copyright. All rights reserved. UNIT 2 Setting Up SAPconnect and SMTP Lesson 1 Setting Up Communication with SAPconnect 109 Lesson 2 Setting Up Communication with Simple Mail Transfer Protocol (SMTP) 115 UNIT OBJECTIVES ● Explain the role of SAPconnect for external communication ● Summarize the task of a Mail Transfer Agent ● Perform the configuration of the AS ABAP for the use of SMTP © Copyright. All rights reserved. 107 Unit 2: Setting Up SAPconnect and SMTP 108 © Copyright. All rights reserved. Unit 2 Lesson 1 Setting Up Communication with SAPconnect LESSON OVERVIEW SAPconnect is a standard interface for external communication that enables data to be sent through telecommunication services, such as fax, text messages (pager, SMS), internet email, and X.400, as well as to printers and between different SAP systems. It allows you to connect external communication components to the SAP system. In this lesson, you will learn the fundamentals of SAPconnect. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Explain the role of SAPconnect for external communication Overview of the Message Flow in SAP Systems An ABAP-based SAP system offers application developers many ways to create and process messages. For example, the user might need to send a confirmation message to the sold-to party after the creation of a sales order. Figure 91: Message Flow in the AS ABAP Business Communication Services (BCS) are important in message processing. The services allow application developers to freely integrate sending messages internally and externally in their applications. In addition to controlling sending and receiving, BCS takes on extensive status handling and makes all sending information about an application object available. The overview of the message flow is shown in the figure “Message Flow in the AS ABAP”. © Copyright. All rights reserved. 109 Unit 2: Setting Up SAPconnect and SMTP The sending of messages from SAP applications can be performed directly using BCS. Alternatively, the Post Processing Framework (PPF) can be addressed first. The PPF provides a uniform interface for generating actions in response to certain conditions (such as printing delivery notes, faxing order confirmations, or triggering approval processes). The PPF is the successor to message control and provides a greater range of functions, simpler connection to the applications, and greater flexibility than its predecessor. BCS can also be used from the SAP Smart Forms tool (and its predecessor, SAPscript) and for PDF-based Print Forms (SAP Interactive Forms by Adobe). In addition to automated message creation and processing, you can create messages manually using the Business Workplace (previously known as SAP Office). The Business Workplace (transaction SBWP) provides a standard working environment in which every SAP user can perform their part of the business and communication processes in the company. Figure 92: Transaction SCOT: BCS Administration and SAPconnect For the administration of Business Communication Services, transaction SCOT – SAPconnect is available. Using this transaction, you can access a collection of settings, reports, views, and further functions in the area of BCS. BCS forwards external messages to SAPconnect. The figure “Transaction SCOT: BCS Administration and SAPconnect” shows the entry screen of this transaction. SAP S/4HANA Output Control SAP S/4HANA introduces a new style of output management. The new output management is going to be the successor of all other output management frameworks (SD Output Control, FI Correspondence, FI-CA Print Workbench, CRM Post-Processing). However, all other frameworks are still available and can be used. It is not mandatory to use the new output management. The output management for SAP S/4HANA comprises all functionalities and processes that are related to the output of documents. This includes the integration of output management functions into the business applications, the reuse component output control, as well as the SAP NetWeaver technologies and the technical infrastructure. In the case of SAP S/4HANA Output Control, the figure above concerning the message flow needs to be changed to be as follows: 110 © Copyright. All rights reserved. Lesson: Setting Up Communication with SAPconnect Figure 93: Message Flow in SAP S/4HANA Output Control ● ● ● SAP S/4HANA Output Control uses the basic output management services (like printing, form rendering and emailing) and adds more features (such as parameter determination, output of attachments and output history) for applications that require advanced output scenarios. The applications can communicate with business receivers using print, e-mail, or electronic data interchange (EDI). Form Data Provider offer a dynamic data interface for output forms based on Core Data Services (CDS) and Gateway services including standard extensibility. The data interface describes the data that is passed to the form rendering service at runtime. Output Forms (Gateway interface) can be used to create pixel-perfect documents based on a layout definition and application data in a defined output format. The document is rendered by the service SAP Forms Service by Adobe in the requested format. Possible output formats are, for example, PDF, PCL and Postscript. Note: For more information, see ● SAP Note 2228611 – Output Management in SAP S/4HANA ● SAP Note 2791338 –FAQ: SAP S/4HANA output management ● SAP Note 2470711 – S4TWL - OUTPUT MANAGEMENT ● ● ● SAP Note 3097507 – Output Management in SAP S/4HANA On-Premise with an attached document containing guidance for the SAP S/4HANA Output Management the blog Output Management in SAP S/4HANA (https://blogs.sap.com/ 2021/04/26/output-management-in-sap-s-4hana/) and the online documentation for SAP S/4HANA (Product Assistance), area Cross Components → SAP S/4HANA Output Control. © Copyright. All rights reserved. 111 Unit 2: Setting Up SAPconnect and SMTP SAPconnect Features SAPconnect is the central interface for external communication in SAP systems. SAPconnect supports the use of telecommunication services such as fax, text messages (pager or SMS), e-mail, and X.400, as well as sending data to printers and between different SAP systems. SAPconnect allows you to connect external communication components to an ABAP-based SAP system. SAPconnect provides a direct connection to the Internet using the SMTP plug-in of the Internet Communication Manager (ICM). Figure 94: SAPconnect: Communication Options As presented in the figure “SAPconnect: Communication Options”, there are different ways of producing the same result (such as sending mail over the Internet) when using SAPconnect. It has been possible to use external communication systems for many years; however, the use of plug-in technology requires the Internet Communication Manager process (ICM). Note that the use of RFC destinations for SAPconnect is deprecated. In case RFC destinations for SAPconnect are required (for example, because an external communication system does not offer HTTP or SMTP connectivity), configure SAPconnect in transaction SCON. It offers a user interface similar to transaction SCOT in former releases of AS ABAP. Note: For more information about the support for the RFC interface and SAPconnect, see the SAP note 1236270 – Support for SAPconnect RFC interface. Communication Steps in SAPconnect Process 1. A message is created, for example, as a Web Flow item, in the Business Workplace (transaction SBWP), or by an application. 2. The message is assigned to a node based on the selected communication type and address area stored in the queue. 112 © Copyright. All rights reserved. Lesson: Setting Up Communication with SAPconnect 3. The send process (report RSCONN01, which should run periodically in the background) starts, reads the message from the queue, and transfers it to the SMTP plug-in (or an RFC destination). Administration of SAPconnect To be able to send messages using a communication type, the following criteria are required: 1. One configured (communication) node for the communication type is needed if you want to use it to send documents. 2. All external programs that might be needed must be available and configured. You have the following options to configure and monitor SAPconnect: ● ● ● Transaction SOADM (requires AS ABAP 7.02 or higher) Transaction SCOT (corresponds to transaction SOADM, directly enters path Settings → SMTP Connection → Outbound Messages → SMTP Nodes) Transaction SCON (supports all communication types, is outdated) The first two options are recommended. Use the outdated transaction SCON only for communication types different from SMTP and HTTP. Troubleshooting SAPconnect Various troubleshooting tools are available, some of which are mentioned as examples in the following list: ● ● ● For outbound messages, use routing tests to check whether the error during the node determination was caused by the recipient address. This test checks whether routing for outgoing messages runs correctly in the communication environment. The test provides information on how the appropriate node is determined using the specified recipient address and whether fax and paging numbers are converted according to the rules for recipient number adjustment. A trace can be activated for incoming and outgoing messages. The messages that are sent can be evaluated according to their current status. For example, all documents with transmission errors can be displayed and resent. This can be used to create overviews of the documents that have been sent in the current client. Overviews can be limited according to send times, communication methods, and send status. The entire send history of each document can also be called up. Overviews enable recipients to be notified and documents to be sent again. Additional Information on SAPconnect For more information on setting up communication with SAPconnect, see the online documentation for SAP S/4HANA (Product Assistance) following the paths ● ● SAP S/4HANA → Enterprise Technology → ABAP Platform → Other Services → Services for Application Developers → Generic Business Tools for Application Developers (BC-SRV-GBT) → Business Communication Services - Sending to SAP Applications SAP S/4HANA → Enterprise Technology → ABAP Platform → Other Services → Services for Business Users → SAPconnect (BC-SRV-COM) In addition, the following SAP notes might be helpful: ● SAP Note 455127 – E-mail (SMTP) in different SAP releases © Copyright. All rights reserved. 113 Unit 2: Setting Up SAPconnect and SMTP ● SAP Note 17194 – Telefax in various SAP Releases ● SAP Note 455129 – Paging/SMS in different SAP releases ● SAP Note 312690– SAPconnect: Collective note ● SAP Note 455140 – Configuration of e-mail, fax, paging or SMS using SMTP ● SAP Note 455142 – SAPconnect: Configuration paging/SMS via HTTP ● SAP Note 598718 – SAPconnect - Performance ● SAP Note 1236270 –Support for SAPconnect RFC interface ● SAP Note 1637415 – S/MIME integration in SAPconnect ● SAP Note 2841986 – Sending messages via Whatsapp using SAPconnect ● SAP Note 1917416 – SMS via HTTP: New functions LESSON SUMMARY You should now be able to: ● 114 Explain the role of SAPconnect for external communication © Copyright. All rights reserved. Unit 2 Lesson 2 Setting Up Communication with Simple Mail Transfer Protocol (SMTP) LESSON OVERVIEW In this lesson, you learn how to send and receive e-mails using SMTP with AS ABAP. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Summarize the task of a Mail Transfer Agent ● Perform the configuration of the AS ABAP for the use of SMTP Introduction to Communication Using SMTP Simple Mail Transfer Protocol (SMTP) is supported directly by the ICM process. This means that it is possible to exchange e-mails between the SAP system and any SMTP-compatible mail server without using additional external components (such as connectors or gateways). You can use any product that meets the SMTP standard as a mail server. The figure “Task of a Mail Transfer Agent (MTA)” shows a simplified e-mail system landscape for a company. If an e-mail is sent to the address info@sap.com, it first reaches a Mail Transfer Agent (MTA). This is a program (such as sendmail) that is responsible for forwarding and delivering e-mails. When a mail is received from a Mail User Agent (MUA) (the actual email program) or a different MTA, the MTA analyzes the mail and either sends it to the local user (that is, their MUA) or forwards it to a different MTA (if alias rules have been defined, for example). In the example shown in the figure “Task of a Mail Transfer Agent (MTA)”, the inbound e-mail is forwarded to the SAP ECC system with the local domain ecc.sap.com. Note: SAPconnect is not an MTA and it cannot automatically forward inbound mails that are not intended for it to a different mail server. © Copyright. All rights reserved. 115 Unit 2: Setting Up SAPconnect and SMTP Figure 95: Task of a Mail Transfer Agent (MTA) Faxes and text messages (pager or SMS) can be exchanged using SMTP. Faxes and text messages are packed into e-mails for this purpose. For receipt, the fax or text message server or provider sends e-mails to addresses with the SAP system domain (such as to FAX= +1212541234@crm-prod.company.com). Restrictions of the AS ABAP with Regard to Receiving SMTP Mails As of AS ABAP 7.02, in the outbound direction, the SAP system can transfer mails created in one client to different mail servers. You can specify the host address and port number of the mail servers in the definition of the SAPconnect SMTP node. For details, see SAP Note 2348016 – Configure multiple SMTP NODEs in SAP System. The AS ABAP can receive e-mails via SMTP and can redistribute these e-mails to Business Workplace users. In the inbound direction, the SAP system can receive mails from any number of mail servers. Each client can be reached by a separate virtual mail server (host name, port number) that is configured in transaction SICF. The best approach to address the SAP system and its clients is to use a separate subdomain for each client (such as d01.sap.com). The subdomains are assigned to host names and port numbers using routing rules on the mail servers. Note that SAPconnect cannot be an MTA itself, that is, it cannot forward the mails to other mail servers. SMTP Configuration To use the SMTP function, set the following profile parameters for the AS ABAP: Note: The restriction is that the SAPconnect send job can only be scheduled for application servers on which SMTP is activated. You should therefore activate SMTP on all application servers of the SAP system. ● 116 rdisp/start_icman = true, this parameter starts the ICM process automatically during the system startup © Copyright. All rights reserved. Lesson: Setting Up Communication with Simple Mail Transfer Protocol (SMTP) Hint: In newer releases (as of SAP Kernel 7.72), this parameter does not exist any more: Here the instance always starts with an ICM process. For details, see SAP Note 2560792 – ABAP instances in S/4HANA always start with an icman process. ● ● exe/icman = <path for the executable of the ICM> icm/server_port_<xx> = PROT=SMTP,PORT=<port>, this parameter opens a TCP/IP port for receiving mails using the SMTP plug-in. <port> describes the port number. In case that no mails are to be received in this SAP system, set <port> to zero. Note: The Internet Communication Manager process (ICM) also supports SMTP authentication and SMTP using TLS / SSL for inbound mails. For this, the profile parameter icm/server_port_<xx> offers the additional options TLS (configures SMTP using TLS / SSL), AUTHMECHANISMS (authenticates inbound mails) and AUTHUSERS (defines authorized AS ABAP users). For example, the setting icm/server_port_<xx> = PROT=SMTP,PORT=<port>,TLS=2 means that the client must encrypt with TLS; if not, the connection is cancelled. For more information, see the online documentation for SAP S/4HANA (Product Assistance), area SAP S/4HANA → Enterprise Technology → ABAP Platform → Application Server ABAP Infrastructure → Components of Application Server ABAP → Internet Communication Manager (ICM) → Administration of the ICM → Configuration of the ICM Server Port → SMTP Authentication and SMTP Using TLS / SSL for Inbound Mails (System Type AS ABAP). Hint: The parameter is/SMTP/virt_host_<xx> defines a virtual mail host for receiving mails. In case that all inbound mails (including status notifications) are to be received and processed in a single client of the SAP system, this parameter is not required and is/SMTP/virt_host_0 = *:*; is taken as the default. If multiple clients are intended as receivers, you must create a virtual host for each client. To avoid performance bottlenecks due to high numbers of SMTP requests (or, optionally, HTTP/S requests), use parameters to restrict the context usage in the back-end SAP system for a protocol. Specify the percentage of all available contexts that can be used for the relevant protocol. In the SAP system, the maximum number of contexts in the system is limited by the profile parameter value of rdisp/tm_max_no (this parameter restricts the maximum number of logons for an instance). If the following quotas are exceeded, the requests will be rejected in the ICM: ● icm/HTTP(S)/context_quota ● icm/SMTP/context_quota © Copyright. All rights reserved. 117 Unit 2: Setting Up SAPconnect and SMTP For example, with the setting icm/SMTP/context_quota = 20, you can specify that only 20 percent of the available contexts can be used for SMTP (mail functions). This means that you will have more capacity for HTTP(S) requests if there is a high workload. Outgoing E-Mails in AS ABAP E-mails are created either automatically using an application or manually in the SAP mail client (Business Workplace, transaction SBWP). They are sent to a mail server by SMTP. Emails can also be displayed with a suitable mail client for this mail server, as shown in the figure “Outbound Mails: Process”. Figure 96: Outbound Mails: Process The abbreviations used in the figure are explained as follows: POP Post Office Protocol was defined in 1984 in connection with TCP/IP and allows the receipt of e-mails even on systems that cannot guarantee permanent connection to the mail server. POP3 is the standard protocol for most mail clients on the Internet (together with SMTP responsible for sending messages). The POP3 protocol can delete messages on the server or leave them there. It can also delete messages directly without first transferring them from the server. If more is required, such as hierarchical mailboxes, or filters, use the functions of the client; the protocol does not provide these; you may have to use IMAP. IMAP Internet Message Access Protocol is an e-mail protocol that allows the client to process mails on the server. You can also create folders on the mail server (remote mailboxes) to sort mails. IMAP was developed to transfer messages only when required. The users can choose (unlike with POP3) which data they want to transfer to their own computer. SMTP Simple Mail Transfer Protocol is the standard for exchanging e-mails between servers in the network. Mail clients use SMTP to send e-mails to a server, but not to receive e-mails. MIME Multipurpose Internet Mail Extensions consists of internet extensions (coding procedures) for including binary data in internet mails. In addition, MIME supports multipart mails to allow different data types in a mail or binary attachments, and mails in HTML format. 118 © Copyright. All rights reserved. Lesson: Setting Up Communication with Simple Mail Transfer Protocol (SMTP) Configure Sending SMTP Mails 1. Maintain the key profile parameters for SMTP. 2. Maintain the user addresses (every user that wants to send e-mails requires an internet email address). For security reasons, in case that users are maintaining their own data (transaction SU3), they cannot maintain the entries for the communication types E-mail (INT or SMTP) and Remote Mail (RML). a) Call transaction SU01 to enter the internet address under E-Mail Address on the Address tab page. Note: You can use report RSADRCK7 to create e-mail addresses of type <UserID>@<MailDomainName> automatically for all (SU01) users in your client. This report is described in more detail in the SAP note 104263 – Generating Internet addresses for users. 3. Define the default domain of the current SAP system client: In transaction SCOT, choose Business Communication Administration → Settings → SMTP Connection → Outbound Messages → Settings, tab Outbound Settings, field Default Domain. Hint: You need to do this for the following reasons: ● The SMTP plug-in logs on to the mail server with the domain as an ID. ● The message ID of the outbound e-mails is compiled using this domain. ● If an SAP user sends an e-mail without an internet e-mail address, a sender address consisting of the SAP user name and this domain is generated. Note: Make SAPconnect settings in transaction SCOT for every client from which you send messages. 4. Configure an SMTP node to send an internet mail. a) Create an SMTP note in transaction SCOT (with or without wizard). b) In the Mail Host and Mail Port fields, specify the mail server to which the outbound mails are to be transferred. © Copyright. All rights reserved. 119 Unit 2: Setting Up SAPconnect and SMTP Note: As of SAP Kernel 7.21, the SAPconnect SMTP interface supports both sending and receiving via a secure connection (TLS, Transport Layer Security) and a procedure for authenticating on the SMTP server (SMTP AUTH).You can make relevant settings for outgoing messages in transaction SCOT in the relevant SMTP node. For more information, see SAP Note 1724704 – SCOT: Settings for TLS and SMTP AUTH. 5. Schedule a send job, because e-mails sent from an SAP application are initially placed in a wait queue. A background job that runs periodically, the SAPconnect send job, collects emails from the wait queue and sends them to the mail server. a) In transaction SCOT, use the menu to choose Settings → Send Jobs. b) Create a background job with a variant (for example, SAP CONNECT INT SEND). c) Schedule it periodically. Hint: Schedule the job on an instance (application server) in which an ICM process is active. Result The figure “Configuring an SMTP Node” shows an example of configuring an SMTP node in transaction SCOT. It is possible to configure a node for sending faxes or for sending text messages in the same way. Figure 97: Configuring an SMTP Node Incoming E-Mails in an SAP System When you send an e-mail from a mail client to a user in an SAP system, the e-mail is first forwarded to a mail server and then forwarded to the SAP system by the MTA. The e-mails are 120 © Copyright. All rights reserved. Lesson: Setting Up Communication with Simple Mail Transfer Protocol (SMTP) sent to the mail client in the SAP system (Business Workplace) on a client-dependent basis using SAPconnect. This is illustrated in the figure “Incoming Mails: Process”. Figure 98: Incoming Mails: Process The steps required to configure the mail connection in the SAP system are summarized in the figure “Configuring the Mail Connection”. Figure 99: Configuring the Mail Connection Configure Receiving SMTP Mails 1. Maintain the key profile parameters for SMTP. 2. Enter transaction SU01 and create a system user with the authorization profile S_A.SCON (which is shipped by SAP). © Copyright. All rights reserved. 121 Unit 2: Setting Up SAPconnect and SMTP 3. Maintain the internet mail address for every user that is to receive e-mails in an SAP system. For security reasons, users maintaining their own data (transaction SU3) cannot maintain the entries for the communication types E-mail (INT or SMTP) and Remote Mail (RML): Call transaction SU01 to enter the internet address under E-Mail on the Address tab page. 4. Define the default domain of the current SAP system client: In transaction SCOT, choose Business Communication Administration → Settings → SMTP Connection → Outbound Messages → Settings. On the tab Outbound Settings, enter the data in the field Default Domain. 5. For every client of an SAP system in which inbound mails (or status notifications for sent mails) are to be received and possibly processed, create an SMTP server node for which an assignment to a virtual mail host and logon data are stored. Note: In transaction SICF, SAP already ships an SMTP server node for every SAP system. Use this for the first client that you want to be able to receive mails, and create a new SMTP server node for each additional client. If you are working with multiple clients, you need to create a virtual host for each client in which messages are received using the SMTP plug-in. Make sure that you do not delete the SMTP server node by accident, see SAP Note 2728590 – SAPCONNECT service has been deleted from SICF. a) Call transaction SICF and choose Execute. Under the list Virtual Hosts / Services, double-click SAPconnect. b) On the Host Data tab page, maintain the settings for parameter is/SMTP/ virt_host_<*>= <host>:<port>,<port>,...; Note: This parameter defines a virtual mail host for receiving mails. In case that all inbound mails (including status notifications) are to be received and processed by a single client in the SAP system, this parameter is not required. In this case, is/SMTP/virt_host_0= <*>:<*>; is used as the default. In case that multiple clients are intended as receivers, you need to create a virtual host for each client;<host> and <port> describe the name of the host and the port to which inbound mails are addressed. c) On the Logon Data tab page, enter the client to which the mails received by the virtual mail host are to be forwarded and maintain the logon data of the system user that has been created in this client for the inbound mails. d) On the Handler List tab page, add the handler CL_SMTP_EXT_SAPCONNECT at position no. 1. 122 © Copyright. All rights reserved. Lesson: Setting Up Communication with Simple Mail Transfer Protocol (SMTP) Note: Every SMTP server must be activated (in transaction SICF under Service/ Host → Activate from the menu or by clicking the right mouse button and using the context menu) after it has been created or changed. Administration of SAPconnect SAPconnect offers a uniform administration interface that can help to set up the external communication of an SAP system using SMTP and to monitor its running send operation. You can navigate from here to all settings relevant for SAPconnect. Additionally, the administration interface offers functions that help you to maintain and manage your SAPconnect environment. Use transaction SCOT to configure SAPconnect for communication type Internet (e-mail via SMTP). You can use various views of the communication infrastructure in transaction SCOT. Start with the view Business Communication Administration → Administration → System State. Schedule the send process periodically in transaction SCOT, by choosing Business Communication Administration → Settings → Send Jobs. Figure 100: Transaction SCOT: Maintenance of SMTP Node(s) Caution: Most settings of SAPconnect are client-dependent. External communication systems log on to the SAP system as a system user. The authorizations for this user are contained in the profile S_A.SCON. The SAPconnect administrator requires the authorizations for the system user and the authorizations for table maintenance, which are checked using the authorization object S_TABU_DIS. These authorizations are contained in the roles SAP_BC_SRV_COM_ADMIN and SAP_BC_SRV_GBT_ADMIN. © Copyright. All rights reserved. 123 Unit 2: Setting Up SAPconnect and SMTP Note: SAPconnect provides the option to send emails signed using S/MIME standards and/or encrypted or to receive and decrypt/verify e-mails that were encrypted and/or signed using S/MIME. The S/MIME standard has been integrated into SAPconnect. As an alternative to the option of creating secured messages using S/MIME using SAPconnect, you can also use the product of a third-party, such as a Secure Email Proxy. For this, choose Business Communication Administration → Settings → Outbound Messages → Settings in transaction SCOT. Here on tab Signature & Encryption, you can select the required combination for the e-mail signature or encryption. Related Information: Setting Up Communication with SMTP For more information on setting up communication with SAPconnect, see the online documentation for SAP S/4HANA 2020 (Product Assistance) following the path SAP S/ 4HANA → Enterprise Technology → ABAP Platform → Application Server ABAP Infrastructure → Other Services → Services for Business Users → SAPconnect (BC-SRVCOM) In addition, the following SAP notes might be helpful: ● SAP Note 455140 – Configuration of e-mail, fax, paging or SMS using SMTP ● SAP Note 455127– E-mail (SMTP) in different SAP releases ● SAP Note 312690– SAPconnect: Collective note ● SAP Note 149926 – Secure e-mail: Encryption, digital signature ● SAP Note 104263 – Generating Internet addresses for users ● SAP Note 690020 – SAPconnect send process hangs with large mails ● ● SAP Note 607108 – Problem analysis when you send or receive e-mails ● SAP Notes 633265, 664833, 694151 and 883840 – SMTP PlugIn: Multi-codepage ability ● SAP Note 1724704 – SCOT: Settings for TLS and SMTP AUTH ● SAP Note 1702785 – Error diagnosis for SMTP using TLS and SMTP authentication ● SAP Note 2148070 – Configuration of e-mail using SMTP (outbound) [Video] with a link to a troubleshooting guide ● SAP Note 2348016 – Configure multiple SMTP NODEs in SAP System ● SAP Note 2337000 – Can SAP system pull emails from the Exchange server? ● ● 124 SAP Note 3085702 – Dump STRING_SIZE_TOO_LARGE occurred for email sending background job SAP Note 2979460 – AS ABAP: Default value of profile parameter SAPLOCALHOSTFULL changed with ABAP Platform 2020 SAP Note 3064215 – Error message XS816 'SMTP communication error' for SMTP messages in SOST © Copyright. All rights reserved. Lesson: Setting Up Communication with Simple Mail Transfer Protocol (SMTP) ● SAP Note 3141466 – DNS Server Network Error (dns_unresolved_hostname) when using HTTP enabled applications ● SAP Note 2417443 – Inbound error "554 Transaction failed" ● SAP Note 2728590 - SAPCONNECT service has been deleted from SICF LESSON SUMMARY You should now be able to: ● Summarize the task of a Mail Transfer Agent ● Perform the configuration of the AS ABAP for the use of SMTP © Copyright. All rights reserved. 125 Unit 2: Setting Up SAPconnect and SMTP 126 © Copyright. All rights reserved. Unit 2 Learning Assessment 1. SAPconnect allows you to connect external communication components to an ABAPbased SAP system using different technologies. Which of the following scenarios are possible? Choose the correct answers. X A HTTP plug-in to paging provider X B SOAP plug-in to e-mail server X C SMTP plug-in to e-mail server X D ALE plug-in to e-mail server 2. What does the following parameter and value mean: icm/SMTP/context_quota = 30? Choose the correct answer. X A 30 percent of the available contexts can be used for HTTP. X B 30 work processes can be used for SMTP. X C 30 percent of available contexts can be used for SMTP. X D 30 is the maximum number of users that may have an e-mail address assigned to their user master data. © Copyright. All rights reserved. 127 Unit 2 Learning Assessment - Answers 1. SAPconnect allows you to connect external communication components to an ABAPbased SAP system using different technologies. Which of the following scenarios are possible? Choose the correct answers. X A HTTP plug-in to paging provider X B SOAP plug-in to e-mail server X C SMTP plug-in to e-mail server X D ALE plug-in to e-mail server Correct. SAPconnect offers a HTTP plug-in and an STMP plug-in. 2. What does the following parameter and value mean: icm/SMTP/context_quota = 30? Choose the correct answer. X A 30 percent of the available contexts can be used for HTTP. X B 30 work processes can be used for SMTP. X C 30 percent of available contexts can be used for SMTP. X D 30 is the maximum number of users that may have an e-mail address assigned to their user master data. Correct. The parameter icm/SMTP/context_quota = 30 defines what percentage of all available contexts can be used for processing SMTP requests (the maximum number of contexts is restricted in the back-end by the value of the profile parameter rdisp/ tm_max_no). 128 © Copyright. All rights reserved. UNIT 3 Installing an Enqueue Replication Server (ERS) Lesson 1 Managing an Enqueue Replication Server (ERS) 131 UNIT OBJECTIVES ● Install and operate an Enqueue Replication Server © Copyright. All rights reserved. 129 Unit 3: Installing an Enqueue Replication Server (ERS) 130 © Copyright. All rights reserved. Unit 3 Lesson 1 Managing an Enqueue Replication Server (ERS) LESSON OBJECTIVES After completing this lesson, you will be able to: ● Install and operate an Enqueue Replication Server Introduction to the Enqueue Replication Server (ERS) The enqueue function is not just available in the classical ABAP central instance, it is also available in a standalone server (central services instance). In older SAP releases, AS ABAP-based SAP systems were installed with an enqueue as work process of the Primary Application Server, also called Central Instance. Starting with AS ABAP 7.00, it was possible to set up an AS ABAP-based SAP system with a stand-alone enqueue service, as part of the central service instance (ASCS). As of AS ABAP 7.03, using the ASCS is the default installation option for new SAP systems. Starting from AS ABAP 7.50, SAP systems which have more than one application server and are running without ASCS are not supported any longer. As of AS ABAP 7.51, AS ABAP-based SAP systems without ASCS are not supported any longer. Note: AS Java-based SAP systems are always installed with a central service instance (SCS). © Copyright. All rights reserved. 131 Unit 3: Installing an Enqueue Replication Server (ERS) Figure 101: SAP System Without ASCS Using the classical setup without ASCS there are some single points of failure (SPOF) – see the figure above: ● ● ● The SAP Message Server can be restarted quite fast. As long as it is not available, there is no communication possible between the application servers, but there is no loss of critical data. The SAP Database has to be secured by means of database failover solutions. The central instance is a SPOF, because it contains the enqueue service. The enqueue service contains the critical lock data in main memory. If the enqueue service fails, the lock data will be lost. In this case, all transactions holding locks have to be reset. To avoid the need to implement high availability for the entire central instance, SAP recommends that you use the Standalone Enqueue Server as part of the ASCS instance. As of AS ABAP 7.40, the use of the ASCS is the default architecture (which means that the SAP system then has no central instance any more – see the following figure): 132 © Copyright. All rights reserved. Lesson: Managing an Enqueue Replication Server (ERS) Figure 102: SAP System With ASCS The Standalone Enqueue Server provides the following benefits: ● ● The enqueue clients (SAP application servers) and the enqueue server communicate directly, that is, the work process has a TCP connection to the enqueue server. They no longer communicate via the dispatchers and the message server. You can implement the standalone enqueue server as part of the high availability enqueue server solution (with replication server) and thus make the enqueue server breakdownproof. The procedure to do this is closely linked to the implemented cluster software. Figure 103: SAP System With ASCS and ERS When using an Enqueue Replication Server (ERS), each change of the lock table of the enqueue service is replicated to the ERS. The answer to the requesting enqueue client (the work process) is processed, as soon as the replication is successful. © Copyright. All rights reserved. 133 Unit 3: Installing an Enqueue Replication Server (ERS) The multi-threaded architecture of the Standalone Enqueue Server allows parallel processing and synchronization with the ERS. The throughput is higher than with a classical set up, using a dispatcher with enqueue work process. Each work process is connected with the Standalone Enqueue server. The enqueue server is connected with the ERS. The stand-alone enqueue server communicates vie port sapdp<nn> with its clients. <nn> is the instance number of the ASCS. Because application servers running on the same host communicate using this port as well, the ASCS needs its own instance number. Standalone Enqueue Server (1) and Standalone Enqueue Server 2 To monitor locks of the Standalone Enqueue server, the AS ABAP offers transaction SM12. With Standalone Enqueue Server 2, SAP offers a successor to the Standalone Enqueue Server. For administration, transaction SMENQ can be used. Before you switch from Standalone Enqueue Server to Standalone Enqueue Server 2, you need to make additional changes in the ASCS instance profile. Note: Starting with AS ABAP 7.52, the Standalone Enqueue Server 2 also includes replication support using Enqueue Replicator 2. As of ABAP Platform 1809, the Standalone Enqueue Server 2 (and Enqueue Replicator 2 for high-availability scenarios) is installed by default. Starting with ABAP Platform 2020, the Standalone Enqueue Server 2 (and Enqueue Replicator 2 for high-availability scenarios) is the only available option. Transaction SM12 now shows the same data as transaction SMENQ and the “old” view of transaction SM12 has been moved to transaction SM12OLD. Detailed information concerning the Standalone Enqueue Server (1) and the Standalone Enqueue Server 2 can be found in the online documentation for ● ● SAP S/4HANA 1909 (Product Assistance), area SAP S/4HANA → Enterprise Technology → ABAP Platform → Application Server ABAP Infrastructure → Components of Application Server ABAP → Standalone Enqueue Server and SAP S/4HANA → Enterprise Technology → ABAP Platform → Application Server ABAP Infrastructure → Components of Application Server ABAP → Standalone Enqueue Server 2. SAP S/4HANA 2021 (Product Assistance), area SAP S/4HANA → Enterprise Technology → ABAP Platform → Application Server ABAP Infrastructure → Components of Application Server ABAP → SAP Lock Concept → Standalone Enqueue Server 2. The following figure compares the two versions of the Standalone Enqueue server. 134 © Copyright. All rights reserved. Lesson: Managing an Enqueue Replication Server (ERS) Figure 104: Comparison: Standalone Enqueue Server 1 vs. 2 Communication Between Enqueue Server and ERS The enqueue server opens port enque/encni/repl_port (for Standalone Enqueue Server (1)) or enq/replicatorport (for Standalone Enqueue Server 2) to wait for the connection of the ERS. To use the Standalone Enqueue Server 2 together with the Enqueue Replicator 2 in a high availability environment with automated failover in error situations, they have to be supported by an HA solution. For more information, see SAP Note 2711036 – Usage of the Standalone Enqueue Server 2 in an HA Environment. ● ● If the Standalone Enqueue Server fails, it will be restarted by the HA software on the host of the ERS and copies the replication table in main memory from the ERS in order to rebuild its lock table. In other words, the enqueue server follows the ERS. If the ERS fails, it can be restarted on a different host. The ERS can copy the entire lock table from the stand-alone enqueue server. During normal run the ERS only receives the delta information from the Standalone Enqueue Server. Configuration of ERS Before using the ERS, it has to be installed and configured. The following road map shows the essential steps for installation, configuration and usage of the ERS: Note: Some of the steps depend on the ERS version. © Copyright. All rights reserved. 135 Unit 3: Installing an Enqueue Replication Server (ERS) Figure 105: Installing And Configuring ERS Installation Before installing an ERS, the SAP system must be set up with an ASCS. Then the ERS can be installed using SAP Software Provisioning Manager (SWPM). Use the menu options HighAvailability System in the corresponding section. File system structure The ERS is installed in the /usr/sap/<SID>/ERS<nn> directory. Subdirectory exe contains programs that can check the correctness of replication (ensmon) and can view the lock table (enqt). These two programs are needed when using Enqueue Replication Server 1. For Enqueue Replication Server 2, you can use the enq_admin tool, see SAP Note 2808886 – enqt command is not working with Standalone Enqueue Server 2 (ENSA2) enabled. Profile Parameters In case that you are using the Standalone Enqueue Server (and in certain circumstances the Enqueue Replication Server also), you need to set several profile parameters. Different parameters are relevant for the enqueue clients (application server instances), the enqueue server, and the Enqueue Replication Server. The parameters concerning the Standalone Enqueue Server are also relevant when not using the ERS. The parameters that are used depend on the version of the Standalone Enqueue Server. All parameters that start with “enq/” refer to Standalone Enqueue Server 2. Up to (and including) SAP S/4HANA Server 1909, the parameter enq/enable defines which Standalone Enqueue Server is to be used. TRUE means that Standalone Enqueue Server 2 will be used. The parameter should be set in the DEFAULT profile because it must be identical for all application servers of an SAP system. Note: As of SAP S/4HANA 2020, parameter enq/enable is not used any more – see SAP Note 3030085 – Obsolete ENQ parameters in SAP Basis 755. 136 © Copyright. All rights reserved. Lesson: Managing an Enqueue Replication Server (ERS) Profile Parameters for the Standalone Enqueue Server (1) and Enqueue Replication Server (1) The standard parameters in the enqueue environment are also valid for the Standalone Enqueue Server. The most important parameter is enqueue/table_size which specifies the size of the lock table in KB, default is 16384 (= 16 MB). Instance profile of the enqueue clients (application servers): ● ● ● enque/deque_wait_answer: determines if the dequeue is performed synchronously or asynchronously. TRUE = wait for answer of stand-alone enqueue server, FALSE = don’t wait. This parameter must be set to TRUE (case sensitive) in case of a stand-alone enqueue server. enque/process_location: type of communication. Default is REMOTESA (direct communication), and should not be changed. enque/serverhost and enque/serverinst: host and instance number of Standalone Enqueue Server. Instance profile of the Standalone Enqueue Server: ● ● ● enque/server/replication: true or false. This parameter must be set to true in case of ERS. enque/encri/repl_port: Use only if the default port 5<nn>16 should not be used. enque/server/max_clients: Number of processes that can connect to the enqueue server in parallel. Default is 1000. Profile of the ERS: ● enque/enrep/* Hint: For more information about the Standalone Enqueue server (1), see the online documentation (Application Help) for SAP NetWeaver Application Server for ABAP 7.52, area SAP NetWeaver Library: Function-Oriented View → SAP NetWeaver Application Server for ABAP Infrastructure → Components of SAP NetWeaver Application Server for ABAP → Standalone Enqueue Server. Table 2: Selected Profile Parameters when Using the Enqueue Replication Server (1) Profile Parameter Value Instance profile of ASCS enque/server/replication true Default profile of application servers enque/deque_wait_answer TRUE Default profile of ERS enque/deque_wait_answer TRUE Profile parameters for the Standalone Enqueue Server 2 and Enqueue Replication Server 2 For the Standalone Enqueue Server 2, with the help of parameter enq/server/schema, a schema is created in the lock table on the basis of its name. The addition MAX_LOCKS for this parameter specifies the maximum number of locks. © Copyright. All rights reserved. 137 Unit 3: Installing an Enqueue Replication Server (ERS) The following parameters should be set in the DEFAULT profile as they need to be identical on all instances: ● ● ● enq/enable = TRUE (to be used up to and including SAP S/4HANA Server 1909) specifies that the Standalone Enqueue Server 2 is to be used. enq/serverhost = <host of ASCS instance> and enq/serverinst =<number of ASCS instance> specify both host and instance number of the Standalone Enqueue server. enq/replicatorhost = <host of ERS instance> and enq/replicatorinst = <number of ERS instance> specify both host and instance number of the Enqueue Replication server. In addition, the following parameters are important for the instance profiled of the Standalone Enqueue Server 2 (enq/server/replication/enable) and of the enqueue clients / application server instances of the SAP system (enq/client/max_async_requests) : ● ● enq/server/replication/enable must be set to true in case of an ERS. enq/client/max_async_requests should be set to 0 (default value): enqueue clients can send asynchronous requests to Standalone Enqueue Server 2. The value 0 for this parameter ensures the synchronization between the lock table and the replication table. Table 3: Selected Profile Parameters in the DEFAULT profile when Using the Enqueue Replication Server 2 Profile Parameter Value Instance profile of ASCS enq/server/replication/ enable true DEFAULT profile enq/enable (to be used up to and including SAP S/4HANA Server 1909) TRUE Hint: Detailed information concerning the relevant profile parameters for the Standalone Enqueue Server 2 and their comparison to parameters for Standalone Enqueue Server (1) can be found in the online documentation for SAP S/4HANA 2021 (Product Assistance), area SAP S/4HANA → Enterprise Technology → ABAP Platform → Application Server ABAP Infrastructure → Components of Application Server ABAP → SAP Lock Concept (BC-CSR-EQ) → Standalone Enqueue Server 2 → Configuration of the Standalone Enqueue Server 2 → Comparison of Old and New Profile Parameters . Start and Stop The ASCS and ERS can be started and stopped using the SAP MC or the SAP MMC. The ERS has to be stated before starting the ASCS. The ASCS has to be stopped before stopping the ERS. 138 © Copyright. All rights reserved. Lesson: Managing an Enqueue Replication Server (ERS) Monitoring For Standalone Enqueue Server 2, you can use transaction SMENQ in Application Server ABAP to monitor which locks are currently held. Here, you can monitor the lock table, and detect and correct problems, for example by deleting locks no longer needed. Transaction SMENQ offers the following views: ● ● ● Standard: here application developers and end users can search for their locks. Server Administration: Here you can administrate and monitor the Standalone Enqueue Server 2. This view is relevant for system administrators and SAP Support. Replicator Administration: This view is only visible if you have configured Enqueue Replication Server 2 for the replication. Here you can administrate and monitor the Enqueue Replication Server 2. This view is relevant for system administrators and SAP Support. Note: As of SAP S/4HANA Server 2020, you can use transaction SM12 for this as well. For Standalone Enqueue Server (1), by contrast, you can monitor the enqueue server and the Enqueue Replication Server using program ensmon. The lock table of the ERS can be monitored using enqt by starting the program on the host of the ERS. Note: The ensmon process connects to the enqueue server across the network. You must specify the name of the host on which the enqueue server is running, either by specifying the profile pf=<profile> or by using the call option -H <hostname>. You can specify the instance number of the enqueue server in the parameter -I <server instance>. The behavior of the ensmon program is controlled using numerical operation codes (opcodes). If you enter ensmon -help, an overview of these operation codes is displayed. The Enqueue Replication Server is normally monitored by an extra software program. This may be the SAP start service, which starts the replication instance, or it may be HA software, which monitors the enqueue and replication servers in the cluster. Trace files provide important information for error analysis. Both the enqueue server and the Enqueue Replication Server write trace files to the work directory. You can view these files using operating system functions or the SAP Management Console. ● ● File dev_enqsrv and (for Standalone Enqueue Server (1)) or dev_enq_server (for Standalone Enqueue Server 2) is written only when the enqueue server is started up. All problems occurring when the enqueue server is started (for example, when the replica is read or the lock table created) are analyzed with this file. Problems arising from the Enqueue Replication Server are written to file dev_enq_replicator file in the work directory of the ERS instance (in case of Standalone © Copyright. All rights reserved. 139 Unit 3: Installing an Enqueue Replication Server (ERS) Enqueue Server 2). For Enqueue Replication Server (1), almost all components of the replication server write to file dev_enrepsrv (or dev_enq_server). Additional Information For additional information, see SAP Notes ● 2808886 – enqt and ensmon commands are not working with Standalone Enqueue Server 2 (ENSA2) enabled ● 2917868 – ENQU, ENSA 2.0: Lock Table Overflow ● 2630416 – Support for Standalone Enqueue Server 2 ● 3030085 – Obsolete ENQ parameters in SAP Basis 755 ● 2456601 – How to find SAP WIKI for BC-CST-EQ ● 2954193 – ERS instance profile location LESSON SUMMARY You should now be able to: ● 140 Install and operate an Enqueue Replication Server © Copyright. All rights reserved. Unit 3 Learning Assessment 1. You are running an AS ABAP-based SAP system with ASCS but without Enqueue Replication Server (ERS). Which components are to be considered as a Single Point of Failure for this SAP system? Choose the correct answers. X A Message Server X B Enqueue Server X C Primary Application Server X D Database © Copyright. All rights reserved. 141 Unit 3 Learning Assessment - Answers 1. You are running an AS ABAP-based SAP system with ASCS but without Enqueue Replication Server (ERS). Which components are to be considered as a Single Point of Failure for this SAP system? Choose the correct answers. X A Message Server X B Enqueue Server X C Primary Application Server X D Database Correct. The Single Points of Failure are the Message Server, the Enqueue Server and the Database. 142 © Copyright. All rights reserved. UNIT 4 Configuring Central User Administration (CUA) Lesson 1 Understanding the Basic Idea of CUA 145 Lesson 2 Setting Up a CUA 151 Lesson 3 Performing User Administration with CUA 169 UNIT OBJECTIVES ● Expalin the idea of the CUA ● Set up the required technical users and RFC destinations for CUA ● Activate and configure the CUA ● Initialize the data synchronization for company address data and user data ● Use the CUA for user administration ● List the steps to remove a CUA © Copyright. All rights reserved. 143 Unit 4: Configuring Central User Administration (CUA) 144 © Copyright. All rights reserved. Unit 4 Lesson 1 Understanding the Basic Idea of CUA LESSON OVERVIEW This lesson introduces the principles of Central User Administration (CUA), and provides decision-making aids. Business Example In your landscape of SAP systems, the same users exist in a number of systems and clients. You want to learn how you can reduce the costs of maintaining users in the different SAP systems. You can reduce the costs for user administration by centrally administering the users in distributed systems. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Expalin the idea of the CUA Central User Administration (CUA) Fundamentals User information is stored in a client-specific manner in AS ABAP based SAP systems. That is, every client in a system has its own, independent group of permitted users. If you have a complex system landscape in your company, you might have more than one of the three standard system types (DEV, QAS, and PRD). Hint: For example, you have three SAP production systems: an SAP S/4HANA Server system as an ERP production system, an SAP ECC system as an HCM production system, and an SAP SCM system for production planning. These systems would all be regarded as “PRD” systems. Classically, users are maintained in the respective system and client. If, for example, a developer retires from your company, you must ensure that the relevant user cannot log on to any client in any system any longer. If you do not know exactly which areas your colleague worked in as an end user, you need to log onto every single client that they may have used and manually search for and lock (or even remove) the user master data. In complex landscapes, this task can easily become confusing. There may, therefore, be potential security gaps in your user administration. This can result in large costs for consistent user maintenance. Note: Users that are no longer to be used for logging on to the SAP system should be locked and not deleted. © Copyright. All rights reserved. 145 Unit 4: Configuring Central User Administration (CUA) The following figure should clarify the structure of user administration in a “classic” scenario with multiple SAP systems. Figure 106: Classic User Administration As you can see from the figure above, the number of “interesting” clients (that is, clients other than 000) to be administrated is 15, even in this simple example. The clients shown are used for different purposes, for example, client 550 is not required in the production system in the SAP ECC system landscape (because this is a test client or a training client, for example). Note: SAP recommends to remove (unused) clients 001 and 066 — see SAP Note 1749142 for details. Concept of Central User Administration The aim of Central User Administration (CUA) is to reduce the cost for user administration and to make user administration more secure by centralizing the work. The concept of CUA envisages only a single client for maintaining user data; that is, you determine the following list of points at a central location in your system landscape. What You Define with Central User Administration ● Which user master records exist in which clients? ● Which roles and profiles are assigned to these master records? ● What are the initial passwords? ● Is the user locked or not? The above user data is managed in only one place. This means that you can have an overview of the situation for managing your user data. Before you decide to implement CUA, the following prerequisites should exist in your system landscape; otherwise the work reduction due to the implementation of CUA will not be optimal. 146 © Copyright. All rights reserved. Lesson: Understanding the Basic Idea of CUA Prerequisites for Efficient CUA Implementation ● There are a large number of identical users in multiple clients ● There is a complex system landscape with a large number of clients to be managed ● You want to reduce the costs of complex, distributed user administration by implementing Central User Administration The prerequisites above are not entirely self-explanatory. If, for example, you have a “standard three-system landscape” in which the users primarily work in one client each, and the user groups in the different clients are almost disjunctive, the cost saving due to the implementation of CUA is not particularly large. The situation is similar if you use identical users in multiple clients, but your system landscape only contains a few clients, or the number of administered users is not especially high in total. Hint: CUA can also simplify the user administration in small system landscapes, as the user master records are then only administered in one client of your system landscape, which is clearly laid out. This increases the security of the systems that you administer. As the following figure illustrates, you can perform all work relating to user master records from one central client when you implement CUA. Figure 107: User Administration Using CUA - Example © Copyright. All rights reserved. 147 Unit 4: Configuring Central User Administration (CUA) Using CUA, which resides in a dedicated system, you can now distribute the following information from the central system to the child systems by Application Link Enabling (ALE) technology: ● ● Which users exist in which system, in which client, and with which roles and profile assignments. Which initial password is assigned to each user. Hint: ALE is a powerful tool, and only a small portion of its many possibilities is used in the context of CUA. Notes on Implementing CUA The following list contains important notes for implementing CUA. 1. SAP recommends to implement the CUA central system in a system with the highest available release of software component SAP_BASIS. Your system should be as up to date as possible, with the latest Support Packages and kernel patches. 2. CUA can be used cross-release, although a connected system should also have a Support Package status as current as possible. 3. CUA can be used for user administration in all AS ABAP based SAP systems (SAP S/ 4HANA On-Premise, SAP ECC, SAP BW, and SAP SCM systems, for example). However, you should search for SAP Notes about this topic in the SAP Notes database before implementing CUA, and take these into account. Note: For the use of CUA in SAP S/4HANA systems, take SAP note 2570961 – Simplification item S4TWL - Business User Management (and the SAP Notes referenced therein) into consideration. In an ALE integrated system union, SAP and non-SAP systems may be in contact. The systems linked to each other are called logical systems. The logical systems in the context of CUA are, in this case, the clients involved. That is, a single SAP system can house multiple logical systems in terms of ALE (and CUA). Data exchange in an ALE integrated system is performed by exchanging intermediate documents (IDocs) via Remote Function Call (RFC) destinations. 148 © Copyright. All rights reserved. Lesson: Understanding the Basic Idea of CUA Caution: Ensure also that if CUA is in use and role definitions are transported (by means of transport requests from one system to another system), the user assignments to the roles are not transported. If CUA is in use and role definitions, including user assignments, are transported at the same time, discrepancies might arise in the user assignment to roles. You can avoid these problems as described in SAP Note 571276 – PFCG: Transporting roles using transaction SM30 by setting the USER_REL_IMPORT entry in table PRGN_CUST to NO in all the child systems in CUA. Related Information For more information on Central User Administration, see the online documentation for SAP S/4HANA (area Product Assistance) path (depending on the release) ● ● ● Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Lifecycle Management → Identity and Access Management → User and Role Administration of ABAP Platform → Configuration of User and Authorization Administration → Central User Administration (including a glossary) or Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security and User Administration → User Administration and Identity Management in ABAP Systems → (Link to) Central User Administration or Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security Concepts and Tools → Identity Management → User and Role Administration of Application Server ABAP and from there either Configuration of User and Role Administration → Central User Administration or Administration of Users and Roles → Operating Central User Administration. and SAP Note 2918803 – When is CUA out of maintenance?. LESSON SUMMARY You should now be able to: ● Expalin the idea of the CUA © Copyright. All rights reserved. 149 Unit 4: Configuring Central User Administration (CUA) 150 © Copyright. All rights reserved. Unit 4 Lesson 2 Setting Up a CUA LESSON OVERVIEW In this lesson, you will learn about setting up Central User Administration (CUA). All of the required steps are presented in chronological order. Business Example The user administration of the SAP systems in your company is to be organized more efficiently and more clearly. CUA is to be implemented to do this. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Set up the required technical users and RFC destinations for CUA ● Activate and configure the CUA ● Initialize the data synchronization for company address data and user data CUA Preparations Setup Overview The steps listed in the following “roadmap” are required to set up Central User Administration. Figure 108: Roadmap for Setting Up the CUA © Copyright. All rights reserved. 151 Unit 4: Configuring Central User Administration (CUA) Note: Where the term technical users is used here, it refers to technical users in terms of user classification for system measurement. In this case, the class of “technical users” represents users who are not enabled for interaction (SAP GUI / ICF). The technical users that are used for CUA are of the type System (created as such in transaction SU01), although the documentation and SAP Notes sometimes refer to users of the type Communication. However, this recommendation is out of date, since users of the type Communication, unlike users of the type System, are subject to the password change rules. Note that as of SAP S/4HANA Server 1909, the entry screen of transaction SU01 contains the additional button (Create) Technical User. System Setup in This Class In ADM103 training classes (or classes derived from ADM103), the system setup concerning the exercises for this lesson is as follows: Setup for the Q team Central system: client 100 in system S4Q (logical system S4QCLNT100) Child system: client 000 in system S4Q (logical system S4QCLNT000) Setup for the P team Central system: client 100 in system S4P (logical system S4PCLNT100) Child system: client 000 in system S4P (logical system S4PCLNT000) The following figure should also clarify this setup for this course. Figure 109: CUA Infrastructure in this Training 152 © Copyright. All rights reserved. Lesson: Setting Up a CUA Caution: In the following, only the terms central system and child system are used. This refers specifically to clients (logical systems). Therefore, if your company runs the central CUA and child CUA on the same SAP system (in different clients), the terms central system and child system refer to different clients in the same SAP system. Specifying and Assigning the Logical Systems You can specify logical systems as follows: 1. Log onto your central system with an administration user. 2. In the Implementation Guide (transaction SALE), choose Basic Settings → Logical Systems → Define Logical System, or start transaction BD54. Alternatively, you can maintain the table view V_TBDLS using transaction SM30. 3. From the menu, in change mode choose Edit → New Entries. 4. In the Log.System column, create a new logical name in uppercase letters. In order to identify systems by name more easily later, use the naming convention <SID>CLNT### for the logical system names, where you replace <SID> with the relevant system ID and ### with the relevant client number, for example, S4DCLNT100. In addition, enter a name of the logical system, such as Central System (CUA) or Child System (CUA). 5. Save your entries, which will then be included in a transport request. 6. Create the logical system name of the central system and of the relevant child system in all child systems. You have the following options for step 6: ● ● Import the transport request generated in step 5 (which contains the names of all logical systems) into all other systems in the CUA landscape. Perform steps 1 to 4 in all child systems of the CUA. Create the logical system name of the central system and of the relevant child system in each case. Hint: The data for the logical systems is created cross-client. If there are multiple logical systems of the CUA in one SAP system, you only need to perform steps 1 to 5 (or to import the transport request) once per SAP system. You also use transaction SALE to assign the logical systems. For this, choose Basic Settings → Logical Systems → Assign Logical System to Client, or start transaction SCC4 directly. Alternatively, edit table T000 with transaction SM30. After you have switched to change mode and have selected the appropriate client, you can assign an appropriate entry to the Logical system field in the details view of the client attributes. When doing so, use the input help (F4 help) to avoid input errors. Select the appropriate entry, such as S4DCLNT100, if you want to assign this logical system to client 100 in the S4D system. Make this assignment of logical systems for all clients involved in the CUA (in all of the involved systems). © Copyright. All rights reserved. 153 Unit 4: Configuring Central User Administration (CUA) Creating the Technical Users and the RFC Destinations RFC destinations are used to exchange data by ALE in the context of CUA. These RFC destinations are used to distribute user data from the central system to the child systems, to send changes to this data in the child systems, and to send status reports back to the central system. In the context of CUA, the central system is treated like another child system in some respects. That is, in the simplest case of a CUA (two logical systems linked to each other – one central system, one child system – within the same SAP system), two RFC destinations are required. If the central system and the child system are in different SAP systems, three RFC destinations are required: Note: For more information, see SAP Note 492589 – CUA: Minimum authorizations for communication users. The composite role SAP_BC_USR_CUA groups together the various roles for service users of Central User Administration (CUA). The composite role is used only for documentation purposes. The single roles that it contains are assigned directly to the technical users. There is a newer version available, SAP Note 2000585 – CUA: Assigning minimal authorizations for communications users (version 2). This SAP Note describes more restrictive SAP authorization default values and SAP default roles. In this lesson, we follow the recommendations of the new version (SAP Note 2000585). RFC Destinations from the Central System to the Child Systems RFC destinations are required from the central system to all child systems. These RFC destinations use technical users in the child systems for which the naming convention CUA_<SID>_### is recommended, where <SID> is replaced with the system ID of the child system and ### with the number of the client being addressed in the child system. Following SAP Note 2000585 – CUA: Assigning minimal authorizations for communications users (version 2), this user requires at least authorizations that are contained in the roles SAP_BC_USR_CUA_731_CLNT, SAP_BC_USR_CUA_731_CLNT_CHECK and SAP_BC_USR_CUA_731_CLNT_SETUP. However, you should not assign the delivered SAP roles to the technical users, but rather copies of these roles for which you have created authorization profiles with role maintenance (transaction PFCG). For simplicity, name the copies of the SAP roles by adding Z_ (and deleting the last two letters if needed) to the start of the name, that is, Z_SAP_BC_USR_CUA_731_CLNT, Z_SAP_BC_USR_CUA_731_CLNT_CHE and Z_SAP_BC_USR_CUA_731_CLNT_SET. 154 © Copyright. All rights reserved. Lesson: Setting Up a CUA Hint: ● ● ● Note that some of the authorization objects in these roles contain not maintained fields (such as field CLASS for authorization object S_USER_GRP). These missing authorizations need to be maintained in the copied roles at customer site according to their needs / authorization concept. Note that the technical user in the child system requires the role Z_SAP_BC_USR_CUA_731_CLNT_SET only while you are setting up (or changing) the CUA system landscape. You can then remove this role from the technical user again. To increase the security and performance in your system, you can use the role SAP_BC_USR_CUA_731_CLNT in a “shared” way. This role contains the authorizations required for receiving the IDocs of the CUA and to update them. However, the subrole SAP_BC_USR_CUA_731_CLNT_RFC (create a copy of this role in the same way as the roles described above) contains only authorization to receive the IDocs, and the role SAP_BC_USR_CUA_731_CLNT_BTCH has the update authorization for the inbound IDocs. Assign the first role to the technical user, as described above. Assign a copy of role SAP_BC_USR_CUA_731_CLNT_BTCH, however, which only allows the changes to the user master records, to a user (of the type System) that you use for background processing. This user is used (in the child systems) to schedule a periodic background job that implements the CUA changes in the child systems. RFC Destinations from the Child Systems to the Central System RFC destinations are also required from the child systems to the central system. Every child system must be able to open an RFC destination to the central system. Hint: Since RFC destinations can be used cross-client (all clients of a system can use a shared RFC destination), you only need to create one RFC destination to the central system if there are multiple child systems (clients) in one and the same SAP system. The destination from the child system to the central system uses a technical user of the type System that must be known in the central system. This user should have the ID CUA_<SID>. In this case, <SID> stands for the system ID of the child system that communicates with the central system using this user. This user requires (at least) the authorizations for the roles SAP_BC_USR_CUA_731_CNTRL, SAP_BC_USR_CUA_731_CNTRL_CHECK, and SAP_BC_USR_CUA_731_CNTRL_BDIST. Create the roles by copying the template roles into the customer namespace and generating the profiles for them using transaction PFCG. © Copyright. All rights reserved. 155 Unit 4: Configuring Central User Administration (CUA) Note: The role SAP_BC_USR_CUA_731_CNTRL_BDIST is only required by the user in the RFC destinations if the attributes in transaction SCUM are set to Redistribution. See the section “Setting the Parameters for Field Distribution”. Hint: Note that some of the authorization objects in these roles contain not maintained fields (such as field CLASS for authorization object S_USER_GRP). These missing authorizations need to be maintained in the copied roles at customer site according to their needs / authorization concept. RFC Destinations from the Central System to Itself (Loopback) A separate, additional RFC destination is required to connect the central system “to itself”. A special user is used for this RFC destination. This technical user is of type System and their authorizations are clearly delimited using predefined roles. This destination also uses the user with the ID CUA_<SID>, where <SID> is the ID of the central system. The required authorizations are contained in the roles SAP_BC_USR_CUA_CUA_731_CNTRL, SAP_BC_USR_CUA_CUA_731_CNTRL_CHECK, and SAP_BC_USR_CUA_731_CNTRL_BDIST mentioned above. Creating the RFC Destinations The following figure illustrates the required RFC destinations and technical users as well as the roles they require in a very simple CUA scenario. Figure 110: Required RFC Destinations and Technical Users for CUA 156 © Copyright. All rights reserved. Lesson: Setting Up a CUA Hint: SAP Note 492589 – CUA: Minimum authorizations for communication users and its successor SAP Note 2000585 – CUA: Assigning minimal authorizations for communications users (version 2) provide background information about the required authorizations and the roles delivered by SAP in the CUA environment. Compared to SAP Note 492589, SAP Note 2000585 describes more restrictive SAP authorization default values and SAP default roles. After you have created the users listed above with the appropriate role assignments in all of the clients involved, you only need to define the RFC destinations in transaction SM59. Follow the instructions below to do this: 1. In transaction SALE in the central system, choose Communication → Create RFC Connections (transaction SM59). 2. Choose Create. 3. Enter the following data: ● In the Destination field, enter the name of the connection, such as S4DCLNT000. Note: This entry must be in uppercase letters. ● ● In the Connection Type field, enter 3. In the Description group box, enter a short text, such as Connection to CUA child system. Caution: The RFC destination name must be identical to the logical system that you want to address with the RFC destination. The RFC destination must be specified in uppercase letters. 4. After choosing Return, make the following settings on the Technical Settings tab: ● ● If you want to restrict the function of the CUA to a particular server group, you can specify the logon group after selecting the Load Balance: Yes radio button and choosing Return. If you do not want to use load distribution, specify the name of the host on which the application server of your target system that you want to use is running for Target Host, and specify the instance number of the application server in question. 5. On the Logon & Security tab, specify the client of the required logical system and credentials of the technical user CUA_<SID>_###, for example, CUA_S4D_100. 6. Save this destination. © Copyright. All rights reserved. 157 Unit 4: Configuring Central User Administration (CUA) 7. Test this RFC destination using the functions: Utilities → Test → Connection Test (Ctrl + F3) and Utilities → Test → Authorization Test (Ctrl + F4) from the menu bar. To setup the required RFC destination from the child system to the central system, log onto the child system and perform steps 1 to 7 again. enter the credentials of user CUA_<SID> here, where <SID> is the SID of your child system. You should also set up the RFC destination from the central system to itself, described above, in the same way. Note: You can also use trusted RFC destinations for the CUA communication. This further increases the security of your CUA communication. For information about configuring the CUA using trusted RFC destinations, see the online documentation for SAP S/4HANA (area Product Assistance), path (depending on the release) ● ● ● Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Lifecycle Management → Identity and Access Management → User and Role Administration of ABAP Platform → Configuration of User and Authorization Administration → Central User Administration → Setting Up Central User Administration → System Users and RFC Destinations → Advantages and Disadvantages of Trusted RFC Destinations or Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security and User Administration → User Administration and Identity Management in ABAP Systems → (Link to) Central User Administration → Setting Up Central User Administration → System Users and RFC Destinations → Advantages and Disadvantages of Trusted RFC Destinations or Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security Concepts and Tools → Identity Management → User and Role Administration of Application Server ABAP → Configuration of User and Role Administration → Central User Administration → Setting Up Central User Administration → Advantages and Disadvantages of Trusted RFC Destinations . Activation and Configuration of the CUA Activating the CUA Once you have successfully activated the CUA, you will no longer be able to create users in the linked child systems using transaction SU01. The activation of CUA has been significantly simplified, and a number of necessary configuration steps are performed automatically by the system. To activate the CUA, proceed as follows: 1. Log on to the central system. 2. In the Implementation Guide (transaction SALE), choose Modelling and Implementing Business Processes → Configure Predefined ALE Business Processes → Cross-Application Business Processes → Central User Administration → Select Model View for Central Administration (transaction SCUA). 158 © Copyright. All rights reserved. Lesson: Setting Up a CUA 3. Enter the name of your distribution model, such as CUA. 4. Choose Create. 5. In the Recipient column, enter the names of all child systems to be connected (such as S4DCLNT000). 6. Save your entries completely. 7. The result screen Display logs appears. If you expand the nodes for the individual systems, (maybe among others) you usually see the following messages for each system: ALE distribution model was saved, Central User Administration activated and Text comparison was started or This child system supports change documents for the CUA landscape. If problem messages are displayed here, follow the procedure in SAP Note 333441: CUA: Tips for problem analysis and SAP Note 2437862 – CUA (Central User Administration) troubleshooting guide - Guided Answers. When the CUA is activated, the system carries out the following configuration steps automatically: Configuration Steps When Central User Administration Is Activated ● ● ● The corresponding ALE model is created or adjusted to match the new CUA model if changes have been made Partner profiles are created Text comparison with the child systems is carried out for roles, profiles and contractual user type IDs The ALE distribution model defines which applications communicate with each other in the distributed systems and which data types are distributed. You require a separate ALE distribution model for a Central User Administration. In the central system, you define the structure of your Central User Administration in the model view, which you then distribute to the child systems. In the ALE distribution model to be defined for the CUA, two types of data are distributed: user master data (including assigned roles and profiles) and company addresses. In the distribution model, you require two methods to distribute user data and company addresses. To implement these methods, you use BAPIs of the USER and UserCompany business objects with the Clone method. You can view the partner model in transaction BD64. Partner profiles define the conditions for electronic data exchange via the IDoc interface. If a partner profile does not exist, you cannot communicate with a partner via the IDoc interface. You can display these partner profiles in transaction WE20. The check tables and the texts for roles, profiles, and license data in the individual child systems are saved temporarily in the central system. This means they can be displayed quickly. If they have been changed, you have to run the text comparison. If you run the text comparison in the central system, you can select the child systems from which the data is to be read. If you run the text comparison in a child system, the current data is sent to the CUA central system. © Copyright. All rights reserved. 159 Unit 4: Configuring Central User Administration (CUA) Note: In new releases, the manual text comparison is not needed any more. For details, see SAP Note 1642106 – CUA|PFCG: Automatic text comparison of roles for central system. If you have restricted the use of RFC callbacks in the central CUA system by setting the profile parameter rfc/callback_security_method = 3 or if you plan to do this, the text comparison function in CUA will no longer work if the callback allow list entries are not maintained correctly in the CUA RFC destinations. For more details, see SAP Note 2585923 – CUA: Text comparison (callback whitelist). In case that you want to assign a global user ID to users in order to be able to allow for cross-system processes (such as the SAP Task Center), see SAP Note 3003462 –Interface enhancement for global user ID. Caution: Even if users can no longer be created in the child systems from now on, the CUA is only “fully operational” once the following additional steps have been carried out. Setting the Parameters for Field Distribution For each field of transaction SU01, you can use transaction SCUM to determine the system in which the administration of the field content can be performed. Field Distribution Parameters Global You can only maintain data in the central system. The data is then automatically distributed to the child systems. The corresponding fields cannot be changed there; they can only be displayed. Local You can only maintain data in the child system. Changes are not distributed to other systems. Proposal You have maintained a default value in the central system that is automatically distributed to the child systems when you create a user. After distribution, the data is only maintained locally, and is no longer distributed, if you change it in the central or child system. Redistribution (Redist) You can maintain the data both centrally and locally. Every time that the data is changed, the change is distributed back to the central system, and is then forwarded from there to the other child systems. Everywhere (Evrywhr) This option is available only on the Lock tab and for initial passwords (Logon Data tab). You can maintain initial passwords and lock data both centrally and locally. However, only the changes made to the data in the central system are distributed to the other systems. Local changes in child systems are not distributed. 160 © Copyright. All rights reserved. Lesson: Setting Up a CUA HR/BP (read only) With SAP S/4HANA, on-premise edition, extensive changes were made regarding user and business partner integration. See SAP Notes 2646823 –How to maintain employees data in an S/4HANA OnPremise and 3094750 – Business User Management - FAQ as entry point. For background information, see SAP Notes 2570961 – Simplification item S4TWL - Business User Management, 2571544 – EEWA: New functions for the user and 2813203 – FAQ - View TBZ_V_EEWA_SRC for Employee-User-BP Synchronization. Transaction SM30 (maintenance view TBZ_V_EEWA_SRC) shows whether the maintainability of this address field is in the User Management, in Human Resources (HR) or in the Business Partner (BP). See also SAP Note 2548303 – S/4HANA: Configuration of maintenance for workplace address. Note: For SAP_BASIS 7.52 and 7.53, also see SAP Note 2694029 – SCUM: Changes of descriptions. Caution: If you subsequently change the distribution from Local or Proposal to Global or Redistribution, inconsistent data can be created. The only exception is that you can reset the indicators on the Lock tab at any time without danger. Ensure that you take into account SAP Note 611972: SCUM: Change to field distribution parameters. Hint: The settings of the distribution parameters are automatically forwarded to the child systems. Recommendations for how you should configure the parameter distribution for a number of fields are presented in the following table. The recommendation for a “Global” setting applies to all fields that are not listed (with the exception of locks). Table 4: Some Recommendations for Transaction SCUM Field Setting Print Parameters (under Defaults) Proposal Parameters Proposal User Group (under Logon Data) Proposal Fields for data that the users maintain themselves Redistribution or Local © Copyright. All rights reserved. 161 Unit 4: Configuring Central User Administration (CUA) Caution: For information about lock management for your users (for example due to too many failed logon attempts), see the online documentation and SAP Note 313945 – CUA: Incorrect logon locks cannot be globally reset. Configuration of IDoc Processing Changes to company addresses and users that affect a child system are transferred to the child system(s) as an IDoc using the RFC destination described above. To optimize the ALE distribution of the CUA, you can execute (separately) the outbound processing and inbound processing of the IDoc in the background. You can find more information about this in the online documentation for SAP S/4HANA 2021 (area Product Assistance), path Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Lifecycle Management → Identity and Access Management → User and Role Administration of ABAP Platform → Configuration of User and Authorization Administration → Central User Administration → Activated Background Processing. We will now take a closer look at IDoc inbound processing in the child system: In standard systems, activation of the CUA (using transaction SCUA) generates partner profiles in the child system that allow immediate (“synchronous”) processing (online). In standard systems, the receipt of the IDoc is separated from IDoc processing (see SAP Note 555229 – IDocs hang in status 64 for tRFC with immediate processing). The dialog work process reserved for the RFC communication does not process the transferred IDocs itself. If an IDoc cannot be processed immediately because no dialog work processes are available, the system schedules a background job (with the step RBDAPP01) for this IDoc with an immediate start. The user who is used for the RFC communication requires additional authorizations for this scenario (see SAP Note 2000585 – CUA: Assigning minimal authorizations for communications users (version 2)). Note: This behavior is controlled by the entries in the table TEDEF. In standard systems, this table (for the current clients) contains an entry with the values EVENTT = TRFC-IDOC and ROUTID = BATCHJOB. If you change the table entry to EVENTT = TRFC-IDOC and ROUTID =SYNCHRON, the system updates all IDocs from the dialog work process that are currently used for RFC communication. Across all applications, the table TEDEF controls the processing of all IDocs that are sent to the current clients. You can use the report RSESYNMESTYP to convert IDoc processing to synchronous processing, depending on the sent message type / IDoc type / extension. The message types CCLONE and USERCLONE are relevant for the CUA. Note: The report RSESYNMESTYP sets the ACTFLAG field in the table EDIMSG for the selected objects to S. 162 © Copyright. All rights reserved. Lesson: Setting Up a CUA SAP Note 1872637 – Delays posting inbound IDocs (status 64) which have been configured to trigger immediately provides further inside in the synchronous processing of IDocs and its limitations. Change Documents You can display change documents in a CUA landscape – for this, use one of the following options: ● In transaction SCUA, use the menu to navigate to Goto → Change Documents for CUA Landscape ● In transaction SUIM, navigate to Change Documents → For CUA Settings ● Start transaction SCUH ● Execute program RSUSRCUA Change documents for the CUA landscape are standard change documents (see transaction SCDO) for the object USER_CUA. These are written when you make changes in CUA landscapes with transactions SCUA, SCUG, and SCUM, or with the report RSDELCUA. The following changes are recorded by these transactions/reports: ● Changes to the CUA model view (creation & deletion) ● Changes to the CUA central system (creation & deletion) ● Changes to the connected child systems (addition & deletion) ● ● ● ● ● Changes to the status of the transfer of users from the CUA child systems (setting, changing & deletion) Changes to the distribution parameters for the individual user attributes in the CUA (initial setting, changing & deletion) Changes to the monitoring of the CUA landscape in transaction SCUA (activation & deactivation) as described in SAP Note 1645544 – Monitoring of Central User Administration. Direct changes to the CUA model view in a CUA child system using the function Temporary Deactivation in transaction SCUA (deactivation & reactivation) as described in SAP Note 962457 – Activating temporary CUA deactivation in transaction SCUA. Direct deletions of the CUA model view in a CUA child system using the report RSDELCUA In the CUA child systems themselves, no changes to the CUA child systems in the landscape (third point in the list above) are recorded. Note: For more details, see SAP Note 1902038 – CUA: Change documents for the CUA landscape and the Program Documentation of report RSUSRCUA (available via the menu: Goto → Documentation). © Copyright. All rights reserved. 163 Unit 4: Configuring Central User Administration (CUA) Initial Data Synchronization Synchronizing the Company Addresses As company address data has already been maintained in all systems of the future CUA, you must first ensure that at least the central system contains all valid company addresses. Then distribute this complete company address set to all child systems, so that a consistent status exists for the company addresses in the entire CUA. You can use transaction SUCOMP to administrate company address data. You can use transaction SCUG in the central system to perform the synchronization activities between the central system and the child systems by selecting your child system on the initial screen of transaction SCUG and then choosing (Synchronize) Company Addresses (in the Central System). For more information about this, see the online documentation. Note: Alternatively, you can compare company addresses using transaction SCUC. You cannot transfer user data in this transaction, however. Synchronizing User Groups To be able to transfer users from a child system to the central system, or to distribute them from the central system to a child system, the user group to which the user is assigned must exist in all systems in which the user exists. Hint: For information about structuring this work as simply as possible, see SAP Note 395841– CUA: Assign target system-specific parameters and user groups. This note refers to the CUA_PARAMETER_CHECK and the CUA_USERGROUPS_CHECK switches in the PRGN_CUST customizing table. Transferring Users to Central Administration After you have synchronized the company addresses, you can transfer the users from the newly connected child systems to central administration. You can do so using transaction SCUG in the central system. To do this, on the initial screen of transaction SCUG, select your child system and choose (Copy) Users (to the Central System). Different cases are handled differently for the user transfer. New users These users are not yet contained in Central User Administration. By choosing Transfer users, you can transfer the selected users to the central system. All user parameters (address, logon data, and so on) and profile / role data are transferred. The user is maintained centrally in the future. Hint: For more information on the distribution of user parameters, see SAP Note 1954558 – CUA | User Parameters. 164 © Copyright. All rights reserved. Lesson: Setting Up a CUA Identical users In this case, there are users with identical user IDs (the user ID or ID is the string that you enter in the User field on the SAP Logon screen) and matching first and last names. You can transfer the role data and profile data of this user to the central system. The user is then distributed as it exists in the central system. Local data is overwritten. In this case, it is assumed that, for example, the ID “MOOREJ” that exists in multiple logical systems, with the last name “Moore” and the first name “Jane”, always belongs to one and the same person. In large companies, this assumption is not always correct. Note: For this reason, SAP recommends that you use unique character strings, such as the personnel number as the user ID. Different users These user IDs exist both in the central and in the child system, but the user has a different first or last name. If, in an individual case, these IDs actually refer to the same user, you can transfer the roles and profile data for the user to the central system. The user is then distributed as it exists in the central system. If the IDs do not refer to the same user, use the CUA to create a new user ID in the child system for one of the users and then delete the old user ID in the child system. Alternatively, you can assign a new ID to the user in the child system (if different employees have an identical ID in different clients). For this purpose, you can start transaction SU01 in the child system and choose User → Rename from the menu. If the user transfer is restarted, the user is listed as a New User rather than as a Different User. Already central user These users already exist in Central User Administration and are only administered centrally. Local Users These users exist for various applications only in child systems, and the applications manage them only in the child systems (such as the technical user TMSADM). You cannot copy these users to the central system. This display is for your information only. Hint: In case of users with a master record in multiple child systems, SAP recommends to start the transfer for the child system with the best data quality. Note that for example the address data of New users are transferred to the central system (and is not overwritten by diverging data for the same user ID in other child systems). A function is available for copying users, which you can access using three new buttons in transaction SCUG if the Already central user tab is selected. With these buttons, you can transfer role assignments, profile assignments, and the license classification of users from child systems, particularly in cases in which (despite CUA being in use) the corresponding administration was carried out until now in the child systems (in line with the settings in transaction SCUM). For license data, see SAP Note 704412 – CUA support for license data maintenance. After this step, the Central User Administration is completely set up for use. © Copyright. All rights reserved. 165 Unit 4: Configuring Central User Administration (CUA) Hint: Until the user transfer has been completed, the child systems affected still contain (“unexpected”) processing options for users that have not (yet) been transferred, such as the delete function for users in transaction SU01. Note: SAP Note 2535491 – CUA: Performance issue when distributing users in SCUL provides more information in case that the IDocs hang in “Distribution unconfirmed” status when distributing users from the CUA central system to the child systems. Checking the Distribution Status You use the log display (transaction SCUL) primarily to check the status of IDoc distribution when changing company addresses or users. If you change a company address in the central system of a Central User Administration (CUA), this is replicated and a CCLONE IDoc is sent to each child system of the CUA. If you change a user in the CUA central system, the user data is also distributed to the child systems assigned to this user. Up to three USERCLONExx IDocs are sent for each user: user attributes (USER), profile assignment (PROFILE), and role assignment (ACTGRP). You can then see in the results list of the log display whether the user or company address was replicated successfully to the child systems. Hint: If it was not possible to completely process IDocs with user changes in the child system (Unconfirmed status in transaction SCUL), this can be because there are not enough dialog work processes available (in the child system or in the contacted instance). In this case, you can start postprocessing of the IDocs in the child system using transaction BD87, or opt for inbound processing of the IDocs in background processing. The latter is described in more detail in SAP Notes 399271 – CUA: Tips for optimizing ALE distribution performance and 2535491 – CUA: Performance issue when distributing users in SCUL. Related Information For more information concerning the setup of the central user administration, see the online documentation for SAP S/4HANA (area Product Assistance) path (depending on the release) ● ● ● 166 Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Lifecycle Management → Identity and Access Management → User and Role Administration of ABAP Platform → Configuration of User and Authorization Administration → Central User Administration → Setting Up Central User Administration Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security and User Administration → User Administration and Identity Management in ABAP Systems → (Link to) Central User Administration or Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security Concepts and Tools → Identity Management → User and Role Administration of © Copyright. All rights reserved. Lesson: Setting Up a CUA Application Server ABAP → Configuration of User and Role Administration → Central User Administration → Setting Up Central User Administration. In addition, the following SAP Notes may be helpful: ● ● SAP Note 952349: SCUA: Functional improvements SAP Note 2000585: CUA: Assigning minimal authorizations for communications users (version 2) ● SAP Note 555229: IDocs hang in status 64 for tRFC with immediate processing ● SAP Note 763982: IDoc: tRFC inbound, syn. processing depends on message type ● SAP Note 1954558 – CUA | User Parameters ● SAP Note 2441124 – How to find your User Assistance for User and Role Administration of Application Server ABAP ● SAP Note 2669444 – PFCG: Generated authorizations for service type IDoc ● SAP Note 2548312 – Adjustment of default values for IDoc inbound processing ● SAP Note 2558350 – S/4HANA: Integration of EEWA changes into identity API ● SAP Note 2646823 –How to maintain employees data in an S/4HANA OnPremise ● SAP Note 3003462 –Interface enhancement for global user ID. LESSON SUMMARY You should now be able to: ● Set up the required technical users and RFC destinations for CUA ● Activate and configure the CUA ● Initialize the data synchronization for company address data and user data © Copyright. All rights reserved. 167 Unit 4: Configuring Central User Administration (CUA) 168 © Copyright. All rights reserved. Unit 4 Lesson 3 Performing User Administration with CUA LESSON OVERVIEW In this lesson, you learn about using Central User Administration (CUA) based on simple examples. You will also learn tips and tricks to ensure reliable and secure operation, as well as the steps required to remove Central User Administration. Business Example You have set up a Central User Administration (CUA) in your company, Now you want to administer the user data for the connected SAP systems. You also want to know about the options for troubleshooting, and to learn the steps required to remove a CUA. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Use the CUA for user administration ● List the steps to remove a CUA CUA Operation With an activated CUA, you continue to use transaction SU01 for user administration. However, there are a number of differences in its operation. The following list should provide you with an overview of the differences in user maintenance when CUA is implemented. Changes in the Central System Changes in Transaction SU01 in the Central System ● New Systems tab ● Changes to the Roles tab ● Changes to the Profiles tab ● Change to the Lock Users and New Password/Change Password functions. New Systems tab: This tab specifies the logical systems in which it is possible for a particular user to log on. However, you only rarely enter values directly on this tab. Note the explanations regarding the Roles and Profiles tabs described below. If a system assignment is removed from a user on the Systems tab, the user is deleted from the relevant child system. Roles tab: On this tab, you can assign roles to a user in the systems of the CUA. The central system has to know all role names of all connected systems. As part of the CUA activation, an initial text comparison was performed automatically. Therefore, the F4 help for roles is available immediately. © Copyright. All rights reserved. 169 Unit 4: Configuring Central User Administration (CUA) After one of the following operations in a child system, a further text comparison may be necessary: ● Creation of a role ● Deletion of a role ● Change of the Description of a role Note: You can configure your CUA in a way that changes to roles in the CUA child systems are automatically transferred to the central system: see SAP Note 1642106 – CUA|PFCG: Automatic text comparison of roles for central system for details. Profiles tab: On this tab, you can assign profiles to a user in the systems of the CUA. The central system has to know all manual profiles (not: generated profiles) of all connected child systems. As part of the CUA activation, an initial text comparison was performed automatically. Therefore, the F4 help for manual profiles is available immediately. After one of the following operations in a child system, a further text comparison may be necessary: ● Creation of a manual profile ● Deletion of a manual profile ● Change of the Description of a manual profile Change to the New Password/Change Password and Lock User functions The New Password/Change Password function on the initial screen of transaction SU01 now contains an option for specifying the child system for which the user is to receive a new password. When locking a user, you can decide – depending on the field distribution parameters in transaction SCUM – whether this user is to be locked locally or globally on all CUA systems. For more details, see SAP Note 313945 – CUA: Incorrect logon locks cannot be globally reset. Changes in the Child System(s) The following changes occur for transaction SU01 in the child system(s). Changes in Transaction SU01 in the Child System ● All tabs: restricted changeability ● It is no longer possible to create new users ● It is no longer possible to delete existing users (after a complete user transfer) ● User in the Last Changed On field All tabs: 170 © Copyright. All rights reserved. Lesson: Performing User Administration with CUA On all tabs of transaction SU01 in the child system, you are now able to administer only the fields that you have selected for local administration during the configuration of the parameters (transaction SCUM). Local administration is allowed if you have chosen an administration setting other than Global. In the child system, it is no longer possible to create new users or delete existing users (as soon as the users have been completely transferred to CUA). “Changed By” field: In the child system, the name of the user that is stored with the RFC destination from the central system to the child system, such as CUA_S4D_000, is specified in this field in the child system for all users that have already been centrally changed. As already outlined above, you can configure your CUA in a way that changes to roles in the CUA child systems are automatically transferred to the central system: see SAP Note 1642106 – CUA|PFCG: Automatic text comparison of roles for central system for details. In case of problems with this automatic text comparison, you can start the text comparison manually. For this, you have different options: ● ● ● You can start the comparison from the child system by choosing, in transaction PFCG, path Environment → Text Comparison for CUA Central System, or by executing program SUSR_ZBV_GET_RECEIVER_PROFILES in transaction SA38. You do not need to make any entries for this report; the data from the child system is sent to the central system anyway. To force the text comparison, you can also run program SUSR_ZBV_GET_RECEIVER_PROFILES in transaction SA38 in the central system. In this case, however, you should explicitly specify the child systems with which you want to perform a text comparison. You can automate the comparison by scheduling the report to be regularly executed in the background on the central system. In this case, create and select a variant that contains all of your child systems. Fields whose field distribution parameters are set to Redistribution send their content back to the central system, from which this field value is then forwarded to all child systems. Existing entries are updated in this way. Change Documents for the CUA Landscape As of release 7.31 for software component SAP_BASIS, a new change object, USER_CUA, has been implemented, which you can use to write change documents for changes to the CUA landscape. In addition, the new transaction SCUH is available to evaluate the change documents. For more details, see SAP note 1902038 – CUA: Change documents for the CUA landscape and the documentation of the underlying report RSUSRCUA. Special Authorization Objects for CUA For Central User Administration, the following authorization objects exist that allow you to define user administrator authorizations for specific systems. This means that all user administrators of a CUA system group can exist in the central CUA, but each user can assign authorizations only for one part of the connected systems. Table 5: Special Authorization Objects for CUA Authorization Object Meaning S_USER_SYS System assignment in CUA © Copyright. All rights reserved. 171 Unit 4: Configuring Central User Administration (CUA) Authorization Object Meaning S_USER_SAS Role and profile assignment to systems in CUA S_USER_SYS is the authorization object for system assignment in Central User Administration (CUA). You can distribute users from a central system to different child systems of a system group. The object S_USER_SYS checks which child systems the user administrator can assign to the users. The system checks the authorization object S_USER_SAS in transactions SU01, SU10, PFCG, and PFUD when roles, profiles, and systems are assigned to users. It represents the further development of the authorization objects S_USER_GRP, S_USER_AGR, S_USER_PRO, and S_USER_SYS, which were previously checked during assignment. Hint: You can deactivate the authorization object S_USER_SAS using the customizing switch CHECK_S_USER_SAS with value NO in table PRGN_CUST. For details, see SAP Note 536101 – S_USER_SAS: Authorization check for system-specific assgnmnt. Troubleshooting for the CUA If the distribution of user data is not functioning, follow the checklist below: Troubleshooting for the CUA ● Transaction SCUL in the central system ● Transaction SM59 in the central system ● Transaction BD64 in the central system ● Transaction SCUA in the central system ● Transaction SUIM in the central system ● Transaction BD87 in the child system(s) ● SAP Note 2437862 – CUA (Central User Administration) troubleshooting guide - Guided Answers 1. View the distribution log in transaction SU01 using the menu path Environment → Distribution log. Alternatively, call transaction SCUL. If errors are displayed here, you can choose to distribute the user master record again as a first step. Trace whether the problem persists or whether the data is sent successfully this time. 2. If the display of the distribution log informs you of tRFC with Errors, you should check the RFC destinations used in transaction SM59. 3. In transaction SCUM, from the menu choose Environment → Distribution model (launching transaction BD64) to check the consistency of the ALE model you are using. To do this, select the model for your CUA and check whether the required BAPIs USER.Clone and UserCompany.Clone are assigned to your model. 172 © Copyright. All rights reserved. Lesson: Performing User Administration with CUA 4. Check whether your CUA distribution model is displayed in transaction SCUA. 5. You can use transaction SUIM to determine cross-system information (area User Information System → User → Cross-System Information (Central User Administration)). Here, for example, you can display the list of all users in child systems (together with the IDoc number that was used to update users in the child system). You can also display the roles assigned to users or the users assigned to certain roles for specific systems. 6. If it was not possible to completely process IDocs with user data changes in the child system (Unconfirmed status in transaction SCUL), this can be because there are not enough dialog work processes available (in the child system or in the contacted instance). In this case, you can start postprocessing of the IDocs in the child system using transaction BD87, or opt for inbound processing of the IDocs in a background job. The second variant is described in more detail in SAP Note 399271: CUA: Tips for optimizing ALE distribution performance. In addition, SAP Note 2535491 – CUA: Performance issue when distributing users in SCUL might help. You should also take a look at SAP Notes 555229: IDocs hang in status 64 for tRFC with immediate processing and 1833088: CUA: Updating incorrect IDocs. Hint: Every sent IDoc requires at least one work process in the receiving system. If a large number of IDocs is sent at the same time, you should set inbound processing to “Processing in the background” in the partner profiles with transaction WE20 and process these IDocs in the background with program RBDAPP01 (alternatively, IDocs can also be processed with program RBDSER04). 7. SAP Note 2437862 – CUA (Central User Administration) troubleshooting guide - Guided Answers (among others) refers to SAP Note 2108938 – CUA: Analysis of existing CUA landscape and contains a link to the CUA Troubleshooting Guide WIKI. Performance Considerations For more information about optimizing the performance of the data distribution of your CUA landscape, see the online documentation for SAP S/4HANA 2021 (area Product Assistance), path Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Lifecycle Management → Identity and Access Management → User and Role Administration of ABAP Platform → Configuration of User and Authorization Administration → Central User Administration → Setting Up Central User Administration → Activated Background Processing. For this you should have at least basic experience using ALE. © Copyright. All rights reserved. 173 Unit 4: Configuring Central User Administration (CUA) Hint: You can use transaction SCUL to distribute individual user master records to the child systems again. If you want to redistribute a large number of users simultaneously, transaction SCUL is a good option, as described in SAP Note 632486: Improvements to transaction SCUL. Alternatively, you can use programRSCCUSND to do this, as described in SAP Note 503247 – CUA: Synchronizing user master data. Related Information For more information on Central User Administration, see the online documentation for SAP S/4HANA (area Product Assistance) path (depending on the release) ● ● ● Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Lifecycle Management → Identity and Access Management → User and Role Administration of ABAP Platform → Configuration of User and Authorization Administration → Central User Administration or Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security and User Administration → User Administration and Identity Management in ABAP Systems → (Link to) Central User Administration or Enterprise Technology → ABAP Platform → Securing the ABAP Platform → Security Concepts and Tools → Identity Management → User and Role Administration of Application Server ABAP and from there either Configuration of User and Role Administration → Central User Administration or Administration of Users and Roles → Operating Central User Administration. CUA Removal It is important to differentiate between two (three) possible scenarios for removing the CUA. Two (Three) Scenarios for Removing the CUA 1. A child system is to be removed from the CUA (permanently or temporarily). 2. The CUA is to be completely removed. These scenarios are presented here. Permanently remove a child system from the CUA 1. Choose Delete in transaction SCUA or call program RSDELCUA directly in transaction SA38. 2. In the Delete area, choose the option Child Systems, and then select the child system to be removed using the F4 help. 3. Select Test Mode and choose Execute. 4. On the following screen, the system lists the data to be deleted and the tables affected. By double-clicking a table name, you jump to the display of the table content (as it is displayed using transaction code SE16). 174 © Copyright. All rights reserved. Lesson: Performing User Administration with CUA 5. If you are sure that you want to delete the displayed data, choose Back (F3) and deselect the Test Mode option. Choose Execute. 6. In transaction WE20 in the central system, under Partner Profiles for Partner Type LS, delete the message types CCLONE and USERCLONE for the child system. Repeat this step on the child system with the same message types (but now concerning the master system). 7. Start transaction BD64 in the central system and switch to change mode. Delete the methods of the child system and save your entries. 8. To distribute the distribution model of your CUA, from the menu choose Edit → Model View → Distribute and select the child system that you have just deleted in the dialog window. 9. Use transaction SCUA to check whether the child system has been deleted from the CUA. 10. If there are no additional child systems of the CUA in the SAP system that contains the child system to be deleted from the CUA, change the technical user (such as CUA_S4D) in transaction SU01 by removing the CUA roles on the Roles tab. If there are no longer any roles or profiles assigned to the user, you can delete it. Caution: As the RFC destinations that you created may also be used for ALE connections other than the CUA, you should not delete the RFC destinations, but rather remove the roles with CUA authorizations from the technical user used. Temporarily remove a child system from the CUA You can delete the child system from the CUA group in the child system using program RSDELCUA. If you want to include the system in the CUA again at a later point, use transaction SCUA in the central system to add it to the system group and run transaction SCUG again in the central system for this child system. This transfers all local changes to the central CUA (in accordance with the field distribution parameters in transaction SCUM). Note: If you want to remove the child system from the CUA only temporarily, also see SAP Note 962457 – Activating temporary CUA deactivation in transaction SCUA. After you maintain the Customizing described in this SAP Note, transaction SCUA gets a new icon that you can use to temporarily deactivate or reactivate CUA. Delete the Entire CUA 1. In transaction SCUA on the central system, select your model view and choose Delete. This starts report RSDELCUA. Select the options Complete CUA and Test Mode. For the selections in area How are users without system assignments for the CUA central system handled, see below. 2. If you are satisfied with the list of data to be deleted, run the report again, but this time without the Test Mode option. © Copyright. All rights reserved. 175 Unit 4: Configuring Central User Administration (CUA) 3. In the central system, delete the data about the central system and the child system(s) in transaction WE20; that is, delete the message types CCLONE and USERCLONE under Partner Profile for the Partner Type LS (if necessary). If only the standard message type SYNCH then remains, you can delete the partner profiles completely. 4. In transaction BD64, delete the distribution model of the CUA – if it still exists. 5. Repeat steps 3 and 4 in the child systems. 6. Remove the CUA roles (such as Z_SAP_BC_USR_CUA_731_CNTRL and Z_SAP_BC_USR_CUA_731_CLNT) from all technical users (such as CUA_S4D or CUA_S4D_000). Caution: Delete the RFC destinations of the CUA only if you are certain that these destinations are not used in other ALE scenarios. Caution: The users that you have copied from the child systems to central administration and which only exist on the child system are locked in the former central system after you have removed the CUA (this includes also the system users that are needed for the RFC destinations). These users have no authorizations or roles (unless they were assigned roles and profiles in the central system) and can be deleted manually. To prevent this locking of (some of these) users, you may assign them (on the Systems tab) the logical system of the CUA central system (without assigning any roles or authorization profiles). The Delete option in transaction SCUA offers five options in the box How are users without system assignments for the CUA central system handled?, for example the options ● ● Delete Users: The result of this option is the closest to returning the client to its status before its role as the CUA central system. Do Not Make Any Changes (if CUA Will Soon Be Restarted): This option is preset under the assumption that what is usually required is only a temporary deactivation of the CUA, for example, to perform maintenance tasks and to ensure that no changes are made to the users during this time. It can therefore be used for a case where you plan to reactivate the CUA soon after the deletion. Appendix: CUA and System Copies The figure below illustrates the procedure for copying a production system to a quality assurance system if both systems are included in a Central User Administration. 176 © Copyright. All rights reserved. Lesson: Performing User Administration with CUA Figure 111: CUA and System Copy First, you export the database of the source system (in this case, the production system). However, before you can import it to the target system (in this case, the quality assurance (QA) system), you have to carry out the following steps in the QA system: ● ● Since the user data in the production and QA systems usually differs, you should first export the client user data from the target system. The copy profile SAP_USER already exists for this purpose, which contains user master records (including assignments to roles/profiles) as well as authorizations and profiles. You also have to permanently remove the CUA system from the CUA of the target systems (in this figure, the CUA of the QA systems). Once the database has been imported, you can re-import the previously saved user data to the system via client import and re-include the target system in Central User Administration as a child system. If a CUA child client is to be copied via client copy to a client already included in a CUA, you should first remove the target client from the CUA, carry out the client copy, and then reinclude the client in the CUA. Note: For additional information, see SAP Note 399917 – CUA: Moving of a CUA via Client or System Copy. LESSON SUMMARY You should now be able to: ● Use the CUA for user administration ● List the steps to remove a CUA © Copyright. All rights reserved. 177 Unit 4: Configuring Central User Administration (CUA) 178 © Copyright. All rights reserved. Unit 4 Learning Assessment 1. What can you define with the help of Central User Administration (CUA)? Choose the correct answers. X A Which user master records exist in which clients X B Roles and profiles that are assigned to these master records X C Initial passwords 2. Which transaction is used to activate the Central User Administration? Choose the correct answer. X A SCUG X B SCUH X C SCUA X D SCUL 3. Which changes occur to transaction SU01 in the child system when you operate a Central User Administration? Choose the correct answers. X A Restricted changeability on all tabs. X B It is no longer possible to create new users. X C New Systems tab © Copyright. All rights reserved. 179 Unit 4 Learning Assessment - Answers 1. What can you define with the help of Central User Administration (CUA)? Choose the correct answers. X A Which user master records exist in which clients X B Roles and profiles that are assigned to these master records X C Initial passwords Correct. All of the options listed above can be defined with the help of CUA. 2. Which transaction is used to activate the Central User Administration? Choose the correct answer. X A SCUG X B SCUH X C SCUA X D SCUL Correct. You activate the Central User Administration with the help of transaction SCUA on the central system. 3. Which changes occur to transaction SU01 in the child system when you operate a Central User Administration? Choose the correct answers. X A Restricted changeability on all tabs. X B It is no longer possible to create new users. X C New Systems tab Correct. On the child system, you experience restricted changeability on all tabs and it is no longer possible to create new users in transaction SU01 in the child system. The new Systems tab in transaction SU01 is available on the central system only. 180 © Copyright. All rights reserved. UNIT 5 Configuring Extended Computer Aided Test Tool (eCATT) Lesson 1 Describing the Basics of Extended Computer Aided Test Tool (eCATT) 183 Lesson 2 Configuring the System Landscape for eCATT 189 Lesson 3 Executing eCATT Test Scripts 199 UNIT OBJECTIVES ● Describe eCATT in the SAP environment ● Describe use cases for eCATT ● Explain how to set up automated test series ● List security aspects related to eCATT ● Create a System Data Container ● Configure system and client settings related to eCATT ● Create and execute a simple test configuration using eCATT © Copyright. All rights reserved. 181 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) 182 © Copyright. All rights reserved. Unit 5 Lesson 1 Describing the Basics of Extended Computer Aided Test Tool (eCATT) LESSON OVERVIEW The lesson introduces the Extended Computer Aided Test Tool (eCATT). We will discuss use cases of this tool and explain important terms in the eCATT environment. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Describe eCATT in the SAP environment ● Describe use cases for eCATT ● Explain how to set up automated test series Introduction to eCATT In many cases, it is necessary to test individual processes within an SAP system landscape. For example, when you integrate a new component into an existing system landscape, you should test the component to ensure that both it works properly and it interacts correctly with the other components in the landscape. The following list shows some selected scenarios that require tests: What Should Be Tested? ● New SAP installations and upgrades ● Addition and integration of new components in an existing landscape ● Customer developments ● Core functions after importing Support Package Stacks ● Function testing in each case; possibly also acceptance and integration testing You can perform the tests manually using a written test plan, such as an acceptance test. Acceptance tests are subjective tests that check the usability of the business processes. Test descriptions are created and must be performed by the tester during the test. Note that manual tests require significant resources. Note: In contrast to an acceptance test and a function test (which is to verify a small slice of software against a specification), an integration test combines individual software modules and tests them as a group. © Copyright. All rights reserved. 183 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) An alternative to the manual test scenario is to perform automated tests. In this case, the application processes (such as transactions) to be tested can be recorded and then run automatically. During the run, variables defined in the Test Script can be replaced with actual (application) data. Examples include functional tests that check whether individual transactions are error-free. Automated tests have an advantage over manual tests because they can be repeated easily (for example, in case that errors occur). They also produce more reliable data because input errors can be ruled out (if these do not need to be tested specifically). In addition, a possible loss of motivation on the part of the testers due to the repetitive nature of the actions does not occur. To summarize, advantages of automated tests are as follows: Advantages of Automated Tests ● Fewer test resources are required ● The test process is accelerated ● ● The test results are easier to reproduce because the test can easily be repeated a number of times A log of the results of the tests is automatically generated There is, however, a relatively high initial cost for performing automated tests. Careful planning is required to write high-value, reusable test cases. The tests themselves can be performed relatively quickly. eCATT Use Cases for SAP Business Suite and SAP S/4HANA Landscapes With CATT (Computer Aided Test Tool), SAP has been shipping a test tool with the SAP system since SAP BASIS 3.0. This tool was used to test conventional, screen-based transactions within an SAP system. Figure 112: Use Cases for eCATT Using different components, such as 184 © Copyright. All rights reserved. Lesson: Describing the Basics of Extended Computer Aided Test Tool (eCATT) ● ● SAP ECC, SAP SCM or SAP BW, as well as third-party tools (in SAP Business Suite landscapes) or SAP S/4HANA Servers and SAP Fiori Front-End Servers (in SAP S/4HANA landscapes) means that it is necessary not only to test the individual components, but also their interaction in the context of cross-system business processes. CATT has reached its boundary at this point because it could not be used to test transactions in the SAPGUI for HTML or Java applications. Therefore, SAP has developed the eCATT (extended CATT) test tool that was first delivered with AS ABAP 6.20. Properties of eCATT are as follows: ● ● eCATT enables you to test all SAP transactions, regardless of whether they use the Control Framework or not eCATT provides a simplified concept for performing tests in different systems, starting with a central test system ● eCATT extends the possibilities provided by CATT ● eCATT is fully integrated into the Test Workbench You can use eCATT to test SAP transactions both on the SAP GUI for Windows and on the SAP GUI for Java. You can also test applications that run outside these two GUIs. You can access the contents of database tables for application and Customizing data directly, as shown in the following figure: Figure 113: Test Possibilities with eCATT SAP tools offer greater flexibility than external test tools as all actions on the GUI can be recorded. You can also access database tables directly (without using function modules). Terminologies in the eCATT Environment When defining an automated test using eCATT, you need to define Test Scripts, Test Data Containers, System Data Containers, Start Profiles and Test Configurations in transaction SECATT, as described in the following figure: © Copyright. All rights reserved. 185 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Figure 114: Central Terms in the eCATT Environment ● ● ● ● ● 186 A Test Script consists of a sequence of commands that control the process flow of the test (which transactions are executed in which sequence on which systems). Test Data Containers consist of reusable data records that can be transferred to the Test Script. Unlike CATT, where the test data belonged to a Test Script, with eCATT, the Test Data Containers are stored separately from the script. It means that there is a greater degree of reusability with regard to the Test Data Containers. A System Data Container consists of a list of systems (with associated RFC destinations) that are required during the execution of a Test Script. As of Enhancement Package 1 for SAP NetWeaver 7.3, an eCATT Start Profile can be stored with an eCATT Test Configuration. The Start Profile then acts as the default configuration of the start options for this eCATT Test Configuration. This is particularly useful when executing the eCATT Test Configuration from the Test Workbench. The Test Configuration links a Test Script (“what is to be done?”) with the data from one or more Test Data Containers (“which data is to be used?”), the system landscape defined in a System Data Container (“where are the tests to be performed?”) and the Start Profile (“which start options are to be used?”). In this way, a test case (that is, a checkable entity of an SAP system that contains a procedure for testing an object) is uniquely defined. The Test Configurations are executable test objects that are included in Test Packages and that can be assigned to testers using the Test Workbench. © Copyright. All rights reserved. Lesson: Describing the Basics of Extended Computer Aided Test Tool (eCATT) Figure 115: Initial Screen of Transaction SECATT Note: In addition, as of Enhancement Package 1 for SAP NetWeaver 7.3, the use of Validation Objects allows you to separate the coding for the validation of a test from the normal business test coding. Design Automated Test Series Before a test series can be executed, you need to answer a number of central questions, as presented in the following figure: Figure 116: Designing Automated Test Series First, you need to clarify the project goal and the project scope when deciding which business process to test. At this stage, you need to decide how accurate you want to test the system and exactly what is the structure of the business process flow to be tested across system boundaries. © Copyright. All rights reserved. 187 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) You then define which system is selected as the central test system and which systems have to be accessed during the test (systems under test). You can then use this information to create the System Data Container. Then, the Test Scripts can be created by test developers. Only systems that were defined in the System Data Container can be called from the Test Scripts. eCATT contains various commands depending on the application to be tested. This means that you should consider which command is to be used before you perform the test. You can collect the data required for the test in one or more Test Data Containers. Once the System Data Container, Test Script, and Test Data Containers exist, you can create the Test Configuration. This can then be executed by the individual testers, for example, using the Test Workbench (SAP Easy Access menu: Tools → ABAP Workbench → Test → Test Workbench). There also exists a Wiki on eCATT on SAP Community Network at https://wiki.scn.sap.com/ wiki/display/ABAP/eCATT. Each Test Configuration outputs its results in the form of a log. The log not only provides notification about the successful completion of the test, but also records the details. Additional Information on Extended Computer Aided Test Tool (eCATT) For more information about extended CATT, see the online documentation for SAP S/4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Life Cycle Management → Integration Tests for ABAP Applications → eCATT: extended Computer Aided Test Tool (BCTWB-TST-ECA) There also exists a Wiki on eCATT on SAP Community Network (including an FAQ section) at https://wiki.scn.sap.com/wiki/display/ATopics/eCATT:+The+Extended+Computer+Aided +Test+Tool. In addition, in class CA611 – Test Management with eCATT you can learn how to create automated Test Scripts and how to include test cases in test projects that you can manage with the Test Workbench. LESSON SUMMARY You should now be able to: 188 ● Describe eCATT in the SAP environment ● Describe use cases for eCATT ● Explain how to set up automated test series © Copyright. All rights reserved. Unit 5 Lesson 2 Configuring the System Landscape for eCATT LESSON OVERVIEW This lesson provides an overview of important system and client settings that are required to run eCATT scripts in a complex system landscape. In addition to setting up RFC destinations between the central test system and the systems under test in which eCATT commands will be executed, a System Data Container is created. Finally, the authorizations required to run eCATT scripts are discussed. LESSON OBJECTIVES After completing this lesson, you will be able to: ● List security aspects related to eCATT ● Create a System Data Container ● Configure system and client settings related to eCATT RFC Destinations Between the Systems Involved To run eCATT Test Scripts in a landscape consisting of multiple systems, you should first configure RFC destinations from the central test system to the systems to be tested (SUT – systems under test). Create RFC destinations using the RFC Destinations transaction (SM59) or by choosing Tools → Administration → Administration → Network → RFC Destinations in SAP Easy Access menu. Note: The exact procedure for creating RFC destinations between SAP systems using transaction SM59 is not within the scope of this lesson. © Copyright. All rights reserved. 189 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Figure 117: RFC Destinations Between the Central System and the Systems Under Test The figure above shows RFC destinations that are needed in case of a central test system and multiple systems to be tested (systems under test – SUT). The central test system might be a development system. The systems under test typically are test (quality assurance) systems. Trust Relationships Between SAP Systems SAP recommends that you set up trust relationships (trusted RFC destinations) in the context of running eCATT scripts across system boundaries. If the current system has been registered as a trusted system in the target system, the Remote Function Call can be performed in the target system without the need to transfer a password. The trusted system relationship applies only for one direction; it is not bidirectional. If the relationship is to be bi-directional, you will need to register each partner system with the other as a trusted system. Using trust relationships in the eCATT environment is useful for the following reasons: ● ● To run transactions using the SAPGUI command (for example, for transactions that use controls), you need a dialog user in the target system. In many cases, specifying a user of type System (which is sufficient in CATT for the TCD command to run standard transactions using the batch input interface) is not enough. In case that a user is entered (with a password) in the RFC destination of transaction SM59, any user of the calling system can (in principle) log on to the target system using this destination and run transactions under the user specified in the RFC destination. This is undesirable for security reasons. Note: For more information, see SAP Notes 128447 – Trusted/Trusting Systems and 2487455 – How to set a trusting relationship in transaction SMT1. 190 © Copyright. All rights reserved. Lesson: Configuring the System Landscape for eCATT System Data Container A System Data Container stores the system landscape for a test scenario. It contains a list of all systems that a Test Script can access. Every entry in this list describes a system and consists of ● ● ● a name for the target system (this should be as descriptive as possible in order to reflect the function of the target system / system under test and to be independent of the name of the RFC destination), an (optional) description of the relevant component (such as “SAP ECC”, “SAP S/4HANA system”) purely for documentation purposes and an RFC destination (or HTTP destination) that points to the target system. To create a System Data Container, use transaction SECATT and choose System Data. The System Data Container should be maintained by a system administrator (together with the project manager) for both a development landscape and a test landscape so that all members of the project team can access the same System Data Container. In a Test Script, a target system is identified using the name of the target system (and not using the name of the RFC destination). The advantage of this procedure is that when you change your system landscape, you only need to change the entries for the RFC destinations (or HTTP destinations) in the System Data Container without having to adjust the Test Script. Alternatively, you can create a new System Data Container (see figure below) and link it with the Test Script using a Test Configuration. This – for example – allows to create and pre-test Test Scripts in the development landscape before running them in the quality assurance landscape. Figure 118: The Meaning of System Data Containers © Copyright. All rights reserved. 191 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Hint: From principal point of view, System Data Containers can be transported using the Change and Transport System, as can all other eCATT objects. But there is no need to transport eCATT objects from the development system to the test or production system (exchanging the System Data Container in a Test Configuration is sufficient to make them run on a different landscape). eCATT objects can be stored locally as XML files and then uploaded to other systems. To do this, choose the following menu path (in the System Data Container editor): System Data Container → Other Features → Download (for saving as a local XML file). And, on the initial screen of transaction SECATT, choose the menu path ECATT Object → Other Features → Upload (for loading from a local XML file to the SAP system). Variants in the Test Data Container can be stored both in XML and TXT format. Complex structures, on the other hand, like the entire Test Data Container with parameters and variants, must be stored as XML files. Caution: When System Data Containers are uploaded or downloaded to other systems, the name of the RFC destination is retained in the RFC Destination field. However, since the name might not exist in the new system (or might identify a different RFC destination), some adjustments are required. System Configuration and Client Settings for Using eCATT To enable eCATT Test Scripts to be run successfully, the systems in the system landscape must be configured appropriately. The following figure shows the necessary steps (depending on the commands used) to configure the system. Note that this consists of more than a definition of the RFC destinations and the System Data Container. Figure 119: System Configuration for Using eCATT Client Settings The maintenance of client settings using transaction SCC4 has been extended for eCATT. The extensions relate, in particular, to setting up remote connections. You can use trusted RFC 192 © Copyright. All rights reserved. Lesson: Configuring the System Landscape for eCATT destinations to transfer security settings from the start system to the remotely started system under test. With the extended client settings, you allow or forbid the starting and also can make it wholly or partially dependent on the type of RFC destination. The following settings are available: ● eCATT and CATT Not Allowed ● eCATT and CATT Allowed ● eCATT and CATT Only Allowed for ‘Trusted RFC’ ● eCATT Allowed; but FUN/ABAP and CATT not Allowed ● eCATT Allowed; but FUN/ABAP and CATT only for ‘Trusted RFC’ The eCATT functions FUN (calling function modules) and ABAP (blocks of ABAP commands within a test script) are of particular significance for security reasons. They can be additionally secured using the extended client settings. Hint: For more information about the extended security concept for CATT and eCATT, see SAP Note 496286 – Security concept extended for CATT and eCATT. Settings for Using GUI Scripting eCATT allows you to use the scripting function of SAP GUI with the SAPGUI command. This means that you can use a recorder in transaction SECATT to record every action on the SAP screen, regardless of whether the actions use controls or not. If the function is to be used, you need to activate scripting first. You can do this as follows: ● ● ● The system parameter sapgui/user_scripting must have the value TRUE (you can use transaction RZ11 to change this parameter dynamically). The parameter is set to FALSE by default. SAP GUI for Windows must be installed on the front end of the user's computer (with the SAP GUI Scripting component). GUI scripting must be permitted on the user's front end computer. You can do this by choosing Customize Local Layout (or SAP GUI settings and actions) in the system function bar. Then, depending on your GUI version, choose Options ... → Scripting → Enable Scripting or Options ... → Accessibility & Scripting → Scripting → Enable Scripting. Hint: When the system parameter sapgui/user_scripting is set to FALSE, the front end settings do not take effect. For more information about the system parameter sapgui/user_scripting (and related parameters), see the SAP Notes 480149 – New profile parameter for user scripting at the front end, 692245 – Additional server based security options for Scripting and 587202 – Restrictions when using SAP GUI Scripting. SAP Note 2715519 – Security Recommendations for Server-Side Configuration of SAPGUI Scripting contains recommendations from SAP for the use of SAPGUI scripting features as well as a link to the SAP GUI Scripting Security Guide. © Copyright. All rights reserved. 193 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Settings for Using External Tools eCATT supports the connection of certified external tools. You can also use these tools to test applications that do not run under the SAP GUI (such as Business Server Pages or the SAP GUI for HTML). To use external tools, you may have to install the external tool on the user's local machine and do the following: ● ● Use the function module SET_EXTERNAL_TOOL to make the required entries in the Customizing table ECCUST_ET. Use program ECATT_GENERATE_ET_USER in transaction SE38 to create the system user required for the communication with the external tool. For more information, see SAP Note 519858 – Setting Up SAP Systems to Use eCATT and the documentation provided in SAP Reference IMG (transaction SPRO), area SAP Customizing Implementation Guide → ABAP Platform (SAP NetWeaver) → Application Server → Test Workbench → Extended Computer Aided Test Tool (eCATT) → Driver-Specific Settings → External Test Tools. eCATT and Web Dynpro The following figure shows an overview of the required prerequisites and settings to record and execute Web Dynpro applications using eCATT: Figure 120: Configuring eCATT for Web Dynpro Applications Many of the steps listed in the figure above can also be accessed from SAP Reference IMG (transaction SPRO), area SAP Customizing Implementation Guide → ABAP Platform (SAP NetWeaver) → Application Server → Test Workbench → Extended Computer Aided Test Tool (eCATT) → Driver-Specific Settings → WEBDYNPRO. The requirements and settings for the central (eCATT) system that must be based on AS ABAP 7.00 SP Stack 20 or higher are as follows: ● 194 Create a system user ECATT_HTTP. This user does not need to have special authorizations. © Copyright. All rights reserved. Lesson: Configuring the System Landscape for eCATT ● ● Enter this user in the default_host/sap/bc/ecatt/ecatt_recorder ICF service (the Logon Data tab). In the Procedure field, choose Standard and select the Use all Logon Procedures option. Finally activate this service. Create RFC destinations to the systems under test and enter them in System Data Containers. Settings for Using Web Dynpro ABAP Applications You can use eCATT to test ABAP-based Web Dynpro applications. The eCATT command for this is WEBDYNPRO. For more information, see SAP note 948076 – eCATT support for Web Dynpro ABAP: Limitations. Requirements and settings for the target system that must be based on AS ABAP 7.02 or higher are as follows: ● ● Activate the ICF service /default_host/sap/bc/ecatt/ecattping. Using the Web Dynpro ABAP application /default_host/sap/bc/webdynpro/sap/ WD_GLOBAL_SETTING, enable the Permit eCATT Rendering (WDENABLEXBCMLCLIENT) feature. Hint: This feature can be set by testing the Web Dynpro application. For recording, in the past an SAP Business Client (SAP BC) in version 3.0 was needed (in later releases, the Web Dynpro Client is no longer included). But as the frontend component sapwdgui.exe is no longer supported with later releases of SAP BC, hence also eCATT had to replace it in its support for Web Dynpro ABAP applications. For this, a new architecture was introduced in the eCATT WEBDYNPRO driver which makes use of the normal browser (for recording) and of the HTML Control of the SAP GUI (for simulation). For details, see SAP Note 1947038 – New architecture of eCATT Web Dynpro ABAP support. To activate or deactivate the new architecture, start transaction SECATT_UTIL and press the button eCATT Settings. Then create a new entry as follows: in the column Area, use the value help to choose Web Dynpro - Support with HTML, in the column Value, enter X (for activation) or leave the column empty (for deactivation) and save the changes. Settings for Using Web Dynpro Java Applications You can use eCATT to test Java-based Web Dynpro applications. The eCATT command is WEBDYNPRO. A requirement for the settings target system is that the ecattping service has been started. This can be done in SAP NetWeaver Administrator (area Operations → Systems → Start & Stop, tab Java Services). Addendum: Automated Testing of OData Services with eCATT The Open Data Protocol (OData) was created to provide a simple, standardized way to interact with data on the Web from any platform or device. This interface technology protocol for querying and updating data is now widely used in the development of SAP business applications. As OData services can offer quite complex business functions, eCATT handles them as integration testing. The new OData test automation functions enable you to test a process chain of several OData service operations automatically (for example, create → © Copyright. All rights reserved. 195 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) change → delete). Also, you can use OData calls to generate the required test data for further tests of other services or even other application interfaces. You can create automated OData integration tests with the help of the eCATT OData wizard (transaction SECATT_ODATA). The eCATT OData wizard leads you through three main steps: 1. Load and Analyze Service: In this step, you load service metadata from the server. 2. Create Access Classes for Service: In this step, you generate access classes in ABAP to enable eCATT OData testing. 3. Create Tests: In this step, you create the tests on the basis of the newly created classes. Hint: For more information, see for example the blogs Automating OData Service Testing with the eCATT OData Assistant (https://blogs.sap.com/2015/06/09/ automating-odata-service-testing-with-the-ecatt-odata-assistant/) and Architecture of the eCATT OData Test Automation (https://blogs.sap.com/ 2015/06/09/architecture-of-the-ecatt-odata-test-automation/). Required Authorizations to Use eCATT Among others, the following authorization objects are required to use eCATT: S_TCODE This object allows the user a selective access only to certain transactions (for example, transaction SECATT). S_DEVELOP Authorization object that regulates access to all development objects in the SAP system. The granularity of this authorization object (with the fields DEVCLASS for packages, OBJTYPE and OBJNAME for object types and names of objects that the user can change, P_GROUP for specific program groups, and ACTVT for permitted activities such as change or create) allows you to assign authorizations specifically tailored to the user's requirements. S_ADMI_FCD System administration authorization object. The system checks it when a user tries to create an RFC destination. S_RFC Authorization check for RFC access. Use this to restrict the execution of function modules that are in specific groups. To create trust relationships, S_RFCACL is also required. S_RFCACL This authorization object is checked when a user attempts to log on in a remote system with trusted RFC. You can restrict the selection to specific source system SIDs (RFC_SYSID field), clients (RFC_CLIENT field), and users (RFC_USER field). S_ECATT The main authorization object S_ECATT enables access regulation for users working on SAP Test Automation. The granularity of the object allows you to create authorizations that restrict access to a particular kind of eCATT object type (field OBJTYPE), particular packages (field DEVCLASS), and particular activities (field ACTVT). 196 © Copyright. All rights reserved. Lesson: Configuring the System Landscape for eCATT S_ECATTADM Additional authorization check which can be used to secure various administrative activities such as changing eCATT versioning data or configuring eCATT log archiving. Among others, SAP provides the following roles for eCATT: ● ● ● ● The role SAP_ECAT (eCATT Processor) contains authorizations for the creating, displaying, changing, deleting and executing eCATT Test Scripts and Test Configurations. The role SAP_ECST (eCATT Starter) contains the authorizations for displaying and starting eCATT Test Scripts and Test Configurations. The role SAP_ECET can be used for saving and loading test scripts with eCATT in case that external tools used for eCATT were not started from eCATT. The role SAP_ECSHOW contains authorizations for the display of eCATT Test Scripts and Test Configurations. Note: For more information about the security concept and the roles and authorizations for extended CATT, see the online documentation for SAP S/4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Life Cycle Management → Integration Tests for ABAP Applications → eCATT: extended Computer Aided Test Tool (BC-TWB-TST-ECA) → eCATT Security Guide → Authorizations. Addendum: SAP Reference IMG SAP Reference IMG contains a section for many of the settings described in this lesson (and even more settings). For this, open SAP Reference IMG in transaction SPRO and choose SAP Customizing Implementation Guide → ABAP Platform (SAP NetWeaver) → Application Server → Test Workbench → Extended Computer Aided Test Tool (eCATT) , see the following figure: Figure 121: eCATT Settings in SAP Reference IMG © Copyright. All rights reserved. 197 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Note: In former releases, eCATT test cases could only be scheduled for execution in the background. This meant that test cases that required the SAP GUI for their execution (for example due to the SAPGUI command) were excluded from job scheduling. With the Foreground Scheduler (transaction STPFE, SAP Reference IMG path SAP Customizing Implementation Guide → ABAP Platform (SAP NetWeaver) → Application Server → Test Workbench → Extended Computer Aided Test Tool (eCATT) → Foreground Scheduler → Configure Foreground Scheduler) it is possible to schedule test cases controlling the UI for automatic execution. After you have registered yourself in at the Foreground Scheduler and have started the test execution, you can schedule test cases in the Test Workbench (transaction STWB_2 – or report RSTWB_BATCH_EXECUTE) for automatic execution in the foreground. Additional Information on the Configuring of eCATT For more information about the security concept and the roles and authorizations for extended CATT, see the online documentation for SAP S/4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Life Cycle Management → Integration Tests for ABAP Applications → eCATT: extended Computer Aided Test Tool (BCTWB-TST-ECA) → eCATT Security Guide. There also exists a Wiki on eCATT on SAP Community Network (including an FAQ section) at https://wiki.scn.sap.com/wiki/display/ATopics/eCATT:+The+Extended+Computer+Aided +Test+Tool. In addition, the following SAP Notes provide further information: ● SAP Note 519858 – Setting Up SAP systems to Use eCATT ● SAP Note 496286– Security concept extended for CATT and eCATT ● SAP Note 480149 – New profile parameter for user scripting at the front end ● SAP Note 692245 – Additional server based security options for Scripting ● SAP Note 948076 – eCATT support for Web Dynpro ABAP: Limitations ● SAP Note 1947038 – New architecture of eCATT Web Dynpro ABAP support ● ● SAP Note 2653468 – eCATT - using local objects without registration in object directory composite SAP Note. SAP Note 2715519 – Security recommendations for server-side configuration of SAPGUI scripting including a link to the SAP GUI Scripting Security Guide LESSON SUMMARY You should now be able to: 198 ● List security aspects related to eCATT ● Create a System Data Container ● Configure system and client settings related to eCATT © Copyright. All rights reserved. Unit 5 Lesson 3 Executing eCATT Test Scripts LESSON OVERVIEW eCATT Test Scripts contain the commands that perform a test and the sequence in which they should be executed. This lesson provides you with an overview of the structure of Test Scripts. You will learn about the Test Script Editor and various commands for eCATT. You will also learn how to create a Test Configuration and monitor its execution. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Create and execute a simple test configuration using eCATT Structure of a Test Script The Test Script defines the sequence of commands that are to be executed during a test. Figure 122: Structure of a Test Script A Test Script consists of three main elements (see the following figure): Attributes Attributes define the properties of a Test Script. As Test Scripts are elements of the repository, they require a title and an assignment to a package. You must specify an application component and a person responsible for it. Parameters © Copyright. All rights reserved. 199 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Parameters are variables used to transfer data from an external source (for example, from a different Test Script or a different Test Configuration to the Test Script (“import parameters”), transfer data from the Test Script to external sources (“export parameters”), or to define variables locally in the Test Script (“variables”), which are used to temporarily store data at runtime. Commands Commands define the process flow of the Test Script. Commands control which transactions on which target system are processed and in which order. If required, branches and loops can also be evaluated. The Test Script Editor You can maintain a Test Script using the Test Script Editor. You can start the Test Script Editor from the initial screen of transaction SECATT (which is available in SAP Easy Access menu through menu path Tools → ABAP Workbench → Test → Test Workbench → Test Tools → Extended CATT) by selecting the Test Script radio button, entering a name for the Test Script (this is an element of the repository so you should obey the naming convention), and choosing Create Object or Change Object. The following figure shows what the Test Script Editor looks like and what parts it consists of. Hint: The eCATT development tools are also integrated in the ABAP Workbench. In the Object Navigator (transaction SE80), choose the Test Repository button. You may need to first enable this button by choosing Utilities → Settings... → Workbench (General)). Figure 123: Structure of the Test Script Editor From the Test Script Editor, you can branch to the structure editor by double-clicking the name of a command interface. In the structure editor, you can view the definition of the command interface structure in more detail or define parameters for the interface. You can enter eCATT commands in the command editor, as shown in the following figure. 200 © Copyright. All rights reserved. Lesson: Executing eCATT Test Scripts Figure 124: eCATT Command Editor In the Parameter List area, you can define import and export parameters and any (local) variables that you require for executing your Test Script. Use the Parameter ↔ Command Interface button to switch to the definition of the command interface, if necessary. These command interfaces are automatically generated when you generate certain eCATT commands (such as recording or running SAP transactions) by choosing Pattern. The following figure shows how to set up parameters and values. Figure 125: Setup eCATT Parameter and Values eCATT Commands There is a number of commands available in the eCATT environment. The following figure provides an overview of the main commands used for specific applications. © Copyright. All rights reserved. 201 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Figure 126: Which eCATT Command Should be Used? The FUN command tests function modules. The command interface of this command corresponds to the interface of the called function module, including the transferred parameters and exceptions. The eCATT command set contains commands for testing global ABAP object classes (for example, the command CREATEOBJ to generate an object of a class or the command CALLMETHOD to call up an instance method of a class). Access is restricted to public methods and attributes. Global classes are both tested and used as a tool in the Test Scripts in the same way as function modules or BAPIs are used. You can use eCATT also to testboth ABAP based and Java based Web Dynpro applications. Those applications can be recorded and run. The eCATT command for this purpose is WEBDYNPRO. Hint: Pay attention to SAP note 948076 – eCATT support for Web Dynpro ABAP: Limitations and SAP Note 1947038 – New architecture of eCATT Web Dynpro ABAP support. The commands SAPGUI and TCD test SAP transactions: ● ● If controls are used for the transaction to be tested, the SAPGUI command must be used because the TCD commands run at the application level without an assigned SAP GUI. If controls are not used or are not necessary for the transaction, SAP recommends that you use the simpler and more effective TCD command. The SAPGUI command uses a scripting engine in the SAP GUI to record status changes on the user interface. An SAP GUI session is also created when the SAPGUI command is run. In addition to testing SAP transactions, eCATT provides an interface for external test tools that allows the testing of external applications. The Test Scripts created with external tools are also stored centrally in the database of the SAP system. 202 © Copyright. All rights reserved. Lesson: Executing eCATT Test Scripts Note: In addition to the commands already listed, special conditions can also be checked (the IF ... ENDIF. command), loops can be defined (the DO ... ENDDO. command) and values can be checked (the CHEVAR or CHETAB commands), Customizing settings can be set temporarily (the SETTAB and RESTAB commands), and blocks of ABAP coding can be used (the ABAP. ... ENDABAP. command). You can find a command reference in the online documentation for SAP S/4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Life Cycle Management → Integration Tests for ABAP Applications → eCATT: extended Computer Aided Test Tool (BCTWB-TST-ECA) → eCATT Command Reference. Test Data Containers In eCATT, most of the test data is stored in Test Data Containers separate from the Test Scripts. The main reason for this is to allow the test data to be reused and maintained. The Test Data Container(s) and a Test Script are merged in a Test Configuration to create a test case that can be executed. Test Data Containers consist of parameters that describe the interface of the container and of variants in which the actual test data is stored. Each variant contains a field for every parameter as shown in the following figure. If no value is assigned to the parameter of a variant, the corresponding value from ECATTDEFAULT is used. You can import parameter names (for example, from Test Scripts) in the Test Data Container by choosing Edit → Import Parameters from the menu. eCATT features a function for importing data into Test Data Containers. You can save an entire Test Data Container as a local XML file by choosing Test Data Container → Other Features → Download from the menu and import it into other systems (on the initial screen of transaction SECATT) by choosing the menu path ECATT Object → Other Features → Upload. Variants with simple parameters, on the other hand, can also be saved locally in .txt format (see the menu path Edit → Variants → Download in the editor for Test Data Containers). The following figure shows how a Test Data Container is structured. © Copyright. All rights reserved. 203 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Figure 127: Structure of a Test Data Container The easiest way to use Test Data Containers is to create a Test Data Container separately for each Test Script. This method, however, does not allow you to take advantage of the many benefits of reusing the test data. Test data can be used more effectively if an individual Test Data Container is created for a complete application or sub-application. For this reason, it is also possible to use a single Test Data Container for several Test Scripts in one application. This simplifies consistent data storage. In the case of larger quantities of parameters, the use of multiple Test Data Containers is useful. They provide the data required for a test project. Each Test Script takes its data from one or more Test Data Containers. This is illustrated in the following figure: Figure 128: Reusability of Test Data Containers 204 © Copyright. All rights reserved. Lesson: Executing eCATT Test Scripts Note: eCATT provides external variants that enable data stored in external files to be used. They can be used for both Test Data Containers and for Test Configurations. You can also use an external .txt file without uploading it (the External Variants / Path radio button in the Mode area on the Variants tab). ● ● External variants are generally used for data that is used only once and then rejected. Internal variants, on the other hand, are used when test data that will be used several times is to be stored permanently in the system. You can change the path entered on the Variants tab page for the variant used by choosing Utilities → Settings from the menu and then eCATT → External, field Variants. . Note: A new variant maintenance wizard for test data maintenance was introduced in enhancement package 1 for SAP NetWeaver 7.3. This new wizard is displayed by default and leads you step by step through the variant maintenance process. To use the classical wizard, choose Utilities → Settings from the menu and then eCATT → Advanded, selection field Classic Wizard. Start Profile A Start Profile is an eCATT object for storing start options. This allows you to define the parameters to be used for the test procedure globally (which then can also be used within the Test Plan Management of the Test Workbench (transaction STWB_2)). You can also define test run parameters in the Start Profile (Data for Test Proc. tab). Test Configuration Although Test Scripts can be run “standalone” in the eCATT development environment, this procedure is usually only used during test development or for troubleshooting. Test Scripts frequently contain standard test data. A complete test case, however, is represented by a Test Configuration and Test Configurations are executed by the Test Workbench. By default, one System Data Container and one or more Test Data Containers are referenced. Reusing test data that is useful is possible if you reference Test Data Containers (see the following figure for details). © Copyright. All rights reserved. 205 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) Figure 129: Test Configuration The Test Script defines the actions to be carried out and the import parameters that form the variants. The Test Data Containers contain most of the test data. The System Data Container features the system mapping function that defines the systems on which the commands act. When a Test Configuration is executed, the System Data Container specified in the Test Configuration is always used. Other System Data Containers (such as the one that is used during design time) do not affect any systems here. The start options finally are taken from the Start Profile. eCATT Monitoring Using Logs Every eCATT run generates a log containing detailed test results. This log contains the name of the Test Script (with the version) and every command executed in the Test Script, together with the corresponding parameters. Every error that occurs when the Test Script is being executed is colored red and is passed up to the highest level of the hierarchical structure of the log, so that each error that occurs flags the run as “containing errors”. Specific entries can also be written to the log within a script using the LOG ( <Parameter> ). command. Logs that are no longer used but should still be accessible can be archived (archiving object ECATT_LOG). Additional Information on Executing eCATT Test Scripts For more information about extended CATT, see the online documentation for SAP S/4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → Administrating the ABAP Platform → Administration Concepts and Tools → Solution Life Cycle Management → Integration Tests for ABAP Applications → eCATT: extended Computer Aided Test Tool (BCTWB-TST-ECA) In addition, in class CA611 – Test Management with eCATT you can learn how to create automated Test Scripts and how to include test cases in test projects that you can manage with the Test Workbench. 206 © Copyright. All rights reserved. Lesson: Executing eCATT Test Scripts LESSON SUMMARY You should now be able to: ● Create and execute a simple test configuration using eCATT © Copyright. All rights reserved. 207 Unit 5: Configuring Extended Computer Aided Test Tool (eCATT) 208 © Copyright. All rights reserved. Unit 5 Learning Assessment 1. There is a fixed connection between the test data required for an eCATT test case and the Test Script, and the test data cannot be used without this fixed Test Script. Determine whether this statement is true or false. X True X False 2. Which of the following configurations are required so that an AS ABAP based SAP system is able to use the SAPGUI command in eCATT? Choose the correct answers. X A Maintain client settings to allow eCATT to be executed X B Configure the eCATT Manager X C Enable scripting for SAP GUI X D Enable the eCATT plug-in 3. Which of the following commands are available in eCATT? Choose the correct answers. X A FUN X B TCD X C SAPGUI X D WEBDYNPRO X E RFC 4. Every error that occurs when the eCATT Test Script is being executed is colored red, and is passed up to the highest level of the hierarchical structure of the eCATT log. Determine whether this statement is true or false. X True X False © Copyright. All rights reserved. 209 Unit 5 Learning Assessment - Answers 1. There is a fixed connection between the test data required for an eCATT test case and the Test Script, and the test data cannot be used without this fixed Test Script. Determine whether this statement is true or false. X True X False Correct. Test data can be stored in Test Data Containers that in turn can be used within multiple Test Configurations that is with multiple Test Scripts. 2. Which of the following configurations are required so that an AS ABAP based SAP system is able to use the SAPGUI command in eCATT? Choose the correct answers. X A Maintain client settings to allow eCATT to be executed X B Configure the eCATT Manager X C Enable scripting for SAP GUI X D Enable the eCATT plug-in Correct. You need both maintain client settings to allow eCATT to be executed and to enable scripting for SAP GUI. 3. Which of the following commands are available in eCATT? Choose the correct answers. X A FUN X B TCD X C SAPGUI X D WEBDYNPRO X E RFC Correct. FUN, TCD, SAPGUI and WEBDYNPRO are eCATT commands. 210 © Copyright. All rights reserved. Unit 5: Learning Assessment - Answers 4. Every error that occurs when the eCATT Test Script is being executed is colored red, and is passed up to the highest level of the hierarchical structure of the eCATT log. Determine whether this statement is true or false. X True X False Correct. Every error that occurs when the eCATT Test Script is being executed is colored red, and is passed up to the highest level of the hierarchical structure of the eCATT log. © Copyright. All rights reserved. 211 Unit 5: Learning Assessment - Answers 212 © Copyright. All rights reserved. UNIT 6 Dealing with Aspects of Globalization Lesson 1 Discussing Aspects of Globalization 215 Lesson 2 Importing Additional Languages into an SAP System 225 Lesson 3 Addendum: Introducing Unicode 241 UNIT OBJECTIVES ● Outline the SAP globalization strategy ● Explain the use of multiple languages in an SAP system ● Apply an additional language in an SAP system ● Define the terms code page and Unicode ● Outline the procedure of a Unicode Conversion © Copyright. All rights reserved. 213 Unit 6: Dealing with Aspects of Globalization 214 © Copyright. All rights reserved. Unit 6 Lesson 1 Discussing Aspects of Globalization LESSON OVERVIEW There are a number of special considerations related to software for companies that have subsidiaries in different countries and whose employees speak different languages. This lesson examines various aspects of globalization, such as implementation strategies, country versions, and time zones. You will also learn about centralized and decentralized implementation. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Outline the SAP globalization strategy Centralized and Decentralized Implementation In principle, many different implementations are possible with regard to centralized and decentralized data storage and business processes. Some of them are described and illustrated in the following figure. When considering them, we will look at best practice observations from real implementations, along with technical advantages, disadvantages, and restrictions. Figure 130: Different Implementation (Centralized versus Decentralized) © Copyright. All rights reserved. 215 Unit 6: Dealing with Aspects of Globalization Complete Centralization Complete centralization means mapping all business processes in a single client in a single system. Mapping using multiple clients can no longer be regarded as centralization because they work as almost independent systems. Advantages of complete centralization are central control, simpler and more integrated reporting, simpler maintenance as well as harmonization and standardization. Disadvantages of complete centralization are global complexity, higher risk, performance and size, differences in local business processes as well as problems with ownership. Additionally, you should consider the following aspects: ● Which global options and restrictions exist? ● Which transactions are required? ● Which end users work with the system? ● What about the local acceptance for global solutions? ● What kind of difficulties are to be expected with a global implementation? Complete Decentralization With a completely decentralized implementation, the individual local systems (clients) are separated and independent of each other. Each individual system can use its own standards. Communication with other systems takes place only to a limited extent, using individual, defined interfaces. Advantages of an implementation of this type are local freedom with regard to functions, time planning, and approaches, local independence as well as no expense for reconciliation. Disadvantages of the complete decentralization are no synergies, redundancies, incompatible systems and interfaces as well as redundancies with regard to implementation and maintenance. Additionally, you should consider the following aspects: ● Global costs due to incompatibilities ● Global costs for implementation and maintenance ● Data Privacy Distributed Systems with Shared Services A decentralized approach with a common development system and shared services that are used globally can combine advantages of both purely centralized and purely decentralized implementations. Advantages of this approach are the local independence with regard to business processes, avoidance of redundant functions as well as the distribution and avoidance of implementation and maintenance costs. A number of disadvantages of distributed systems with shared services remain, however, such as the need for interfaces with associated problems or the issue of no real integration of business processes. Additionally, you should consider the following aspects: ● 216 Harmonization and standardization © Copyright. All rights reserved. Lesson: Discussing Aspects of Globalization ● Global costs for implementation and maintenance Combined Configuration: Centralized Decentralization If multiple individual systems are connected in such a way that they are integrated and consolidated using business processes, it will be described as a centralized decentralization. Advantages of such an approach are distribution and reporting, specific integration and complexity, standards and communication using business processes as well as the possibilities for change. Disadvantages of the centralized decentralization areas are a restricted global control, the existence of complex network of business processes between the systems as well as it is less than optimal from a local point of view. Additionally, you need to consider the following aspects: ● Whether distributing the business processes is actually useful ● Distribution scenarios ● Local acceptance ● Possibilities for cooperation In hybrid scenarios, customer may run a central SAP S/4HANA server system on premise. This central SAP S/4HANA system may then be connected to local cloud systems such as SAP S/4HANA Cloud systems or SAP Business ByDesign systems that are running in the subsidiaries. Strategy Criteria In addition to the considerations related to business processes, other criteria must be considered. The strategy criteria could be of a geographical or technical nature, or relate to service and support, as presented in the following figure. Figure 131: Criteria for a Strategy There are different scenarios for implementation. The trend is currently moving in the direction of centralization and shared services. Restructuring from a centralized to a © Copyright. All rights reserved. 217 Unit 6: Dealing with Aspects of Globalization decentralized solution is relatively simple. Restructuring in the other direction requires significantly more expense. If you are considering a centralized implementation, contact SAP for help. Local Versions When implementing an SAP system, country-specific differences in business processes and requirements should be considered. In this way, for example, the Financial Accounting (FI) application in SAP ECC (and in SAP S/4HANA) behaves differently in Germany, Spain or Poland. This is known as a local version (formerly known as country version). It is important to take this aspect into account. Different local versions result in different business processes, different data storage, and different Customizing options. It works this way because of legal differences, such as taxation, reconciliation, and reporting. Default settings and templates are also provided with a local version. You must differentiate technically between situations where the required local version already exists in the SAP standard and can be activated in Customizing, and situations in which the local version must be implemented in the system later. A nonstandard local version is imported as an add-on using transaction SAINT. In some cases, it is a question of transport requests that are imported using normal transport control (TMS). For some countries, there are no ready-made local versions. In such a case, adjust the system as far as possible using Customizing, and then implement additional specifics using your own developments, user / customer exits, and BAdIs or modifications. Figure 132: Availability of Local Versions for SAP ECC 6.0 SAP Standard Localization indicates that the local version is contained in the standard SAP ECC 6.0 (or SAP S/4HANA) system. The figure above shows the availability of local versions for SAP ECC 6.0 at the time of the creation of this handbook as an example. Older releases may contain fewer local versions. SAP Partner Solutions are based on local versions that are already available but that must be imported as an add-on or transport request. As soon as standard local versions are included in the standard SAP system, they are available immediately with the next release. They can be used in parallel and are compatible with each other and with other SAP applications. 218 © Copyright. All rights reserved. Lesson: Discussing Aspects of Globalization Note: Nonstandard local versions are provided by SAP or by one of SAP's partners. Local versions shipped by SAP's partners may also not be available at the time of a new SAP release, but only some time later. These considerations also apply when importing SAP Support Packages. You must also consider the fact that a local version that has been imported later can modify the SAP standard. The use of multiple nonstandard local versions in a single SAP system should, therefore, be checked carefully before implementation. It is also not possible to guarantee compatibility with other add-ons. You need to ensure that relevant Conflict Resolution Transports (CRT) exist when importing SAP Support Packages. For a comparison, the following figure shows the status of SAP S/4HANA (on Premise) at the time of printing. Figure 133: Availability of Local Versions for SAP S/4HANA (On Premise) For more information about using individual local versions (as well as on time zones), see the online documentation and SAP Note 1375438 – Globalization Collection Note. Time Zones A company operating globally with cross-time-zone business processes requires a way of synchronizing time-dependent processes. SAP supports the use of different time zones in SAP solutions. It is not sufficient to use a uniform, system-wide timer in such situations. This would lead to a situation where, in extreme cases, a business process falls on a different day from the one that should technically be the case for the balance sheet. In this way, for example, a Japanese user working for a Japanese company in Japan who creates a document at 6 a.m., but who happens to be working in an international system with German time, would create this document on the wrong day (in this case, the previous day). This would be incorrect from a business point of view. SAP systems support time zones in various applications. Time zone functions are fully integrated into the SAP kernel. This means that the SAP system can convert dates and times quickly. © Copyright. All rights reserved. 219 Unit 6: Dealing with Aspects of Globalization The local time of a particular user is dependent on the geographical area to which the user belongs. The time difference between local time and the absolute time, Coordinated Universal Time (UTC), is influenced by the following factors: geographical area, political factors (time zones are assigned to a country, a region, or even a postal code), and possibly daylight saving time (which does not have a uniform duration). The local time is calculated based on Greenwich Mean Time (GMT), also known as UTC. For example, if it is 18:00 in Greenwich, it is 10:00 in Los Angeles. Los Angeles is therefore eight hours behind Greenwich. At the same time, it is 03:00 in Japan (nine hours ahead of UTC). Daylight saving time is also taken into account in many time zones. In this case, the system uses a daylight saving time rule (summer time rule) to calculate the local time. In such time zones, the clocks are usually put forward by one hour to make full use of the longer days during the end of the spring months, summer, and the start of autumn, and to take the sunlight during the evening hours into account. The assignment of a particular town or region to a time zone depends on geographical and political factors. The time difference between two places on the globe can be up to 24 hours. The time for a time zone is determined by the following components: Time zone This component contains only the name of the time zone (such as CET or EST) and reference to the corresponding time zone and summer time rules. Time zone rule This rule defines the time difference (+/- hours and minutes) to UTC based on geographical and political factors. Summer time rule This rule defines the time difference between daylight saving time and standard time (usually +1 hour). It does not, however, define the start and end dates of daylight saving time. Variable summer time rules These rules define how the system calculates the start and end dates of daylight saving time. You can change these rules at any time. This means that you do not have to enter the start and end dates of daylight saving time every year. Fixed summer time rules In cases where daylight saving time is not defined by variable rules, this rule defines the start and end dates of daylight saving time for a particular year. 220 © Copyright. All rights reserved. Lesson: Discussing Aspects of Globalization Figure 134: Business Process Across Multiple Time Zones It is necessary to operate multiple time zones in one system simultaneously. The figure above shows an example of a business process happening across multiple time zones. The default time zone is used for processes that cannot be assigned to an individual time zone. The time is calculated based on UTC. In general, it is possible to assign a time zone either to an end user or to an object. Time zones are of particular importance in the following areas: ● Basis system (AS ABAP: uniqueness and serialization of system events) ● Logistics (planning and tracing, dispatch and transport, goods movement) ● Finances (determining posting date, resulting in posting period) ● CRM (determining the date in business processes, call centers, mobile clients, internet sales) For the following, we need to distinguish different times: Operating system time Time of all servers of the SAP system, including daylight saving time. System time Must be identical to operating system time; operating system time is set in the SAP Reference IMG. User time Time zone in which the user works; this is set in the user master record. Business/reference object time Objects can have a time zone as an attribute. Default time Used if no other time zone is defined. Before time zones can be used in the SAP system, you need to add system settings, maintain time zones, and assign these to users as follows: © Copyright. All rights reserved. 221 Unit 6: Dealing with Aspects of Globalization Maintain system settings The first time that you log on to an SAP system, the system automatically determines the time zone that it is in. As a precaution, you should check that the time zone setting in the system is correct. In SAP Reference IMG (transaction SPRO), choose area ABAP Platform → General settings → Time Zones → Maintain System Settings (note that this path depends on the SAP system and the release). You can also use transaction STZAC. Enter the System time zone and the User’s Default Time Zone. To activate the time zone function, select the Time Zones Active field. Maintain time zones As the default time zones are delivered with the SAP system, you do not need to maintain them manually. You should, however, check the settings. In SAP Reference IMG (transaction SPRO), choose ABAP Platform → General settings → Time Zones → Maintain Time Zones (note that this path depends on the SAP system and the release). You can also use transaction STZBC. As the individual parts of a time zone structure are based on each other, you can define time zones by completing parts of the table as follows. First, define the time zone key (choose Time zones). Then, define the time adjustments that are caused by the time zone (choose Time zone rules). Next, define the time adjustments that are caused by daylight saving time (choose Summer time rules). Finally, define the variable summer time rule or the fixed summer time date (choose Variable Summer time rules or Fixed Summer time rules in the menu structure). Maintain geographical assignments In SAP Reference IMG (transaction SPRO), choose ABAP Platform → General settings → Time Zones → Maintain Geographical Assignments (note that this path depends on the SAP system and the release). To assign countries, regions, or postal codes, in the menu structure choose Time zones in country, Time zones in country/region, or Generic time zones to postal code. Define the standard time zone for the country or the region. If there is more than one time zone in a country or a region, enter the preferred time zone. Define time zones in the user profile Call transaction SU01. Enter the user ID and choose Change. Choose the Defaults tab, and enter the Time Zone for the user in the Personal Time Zone group box. If there is no time zone defined for a user, the system uses the time zone for the company to which the user is assigned. To view the time zone for the company, select the Address tab. Then choose Display Full Company Address (the glasses icon) in the Company group box. The company's time zone is displayed on the detail screen for the company address (Street Address group box). Check time zones function for the user Choose System → Status... from the menu. If the time zones are activated and the user defaults are configured correctly, for users in the same time zone as the system no time zone information appears in the Usage data group box in the System: Status dialog box. For users in a different time zone, the system time, the time zone of the user, the local time of the user, and the local date of the user are displayed (the local date is displayed only if the local date and system date are different). Time Zone Key Points Applications from software component SAP_BASIS (the SAP Basis system) always uses the system time zone and not any deviating time zone. This includes services such as the following: ● 222 Background processing © Copyright. All rights reserved. Lesson: Discussing Aspects of Globalization ● Update objects for asynchronous updates ● System log messages ● Change documents This means that when a background job is defined (for example, using transaction SM36) or displayed (for example, using transaction SM37), the individual time zone of the calling user must be taken into account (that is, the user must select the relevant system time, and not their own local time). An exception to this rule is the overview of spool requests (transaction SP01). The individual time zone of the calling user is taken into account here. It is possible to determine the time zone using either the user master record or SAP Business Objects. To define the time zone using the user master record, assign an individual time zone to every user master record in the SAP system using transaction SU01 (see above). Many business transactions in the SAP ECC system and in SAP S/4HANA systems use this setting. For example, a user who works in Los Angeles has been assigned the PST time zone (Pacific Time, -8 hours from UTC). They are working, however, in an SAP S/4HANA system that is located in London and that has UTC as the system time zone. If the user posted to an account on Thursday evening at 20:00 Los Angeles time, not only would the default value for the date of his post be that Thursday, the action would also be posted with Thursday's date. This procedure is correct from a business point of view, although it is already Friday morning according to the system time. In this way, it is possible for postings to be made for a date in the past, or, in the case of an East-Asian time zone, even for a date in the future (from the point of view of the SAP system). This is a simple solution that is satisfactory for the user, as long as it is not a case of cross-time-zone business processes. To define the time zone using an object, link the time zone with objects, such as company code, plant, warehouse, or customer. This is useful when considering cross-time-zone business processes. This procedure is used in particular in SAP CRM (Customer Relationship Management) and SAP SCM (Supply Chain Management). Time stamps are stored in UTC time and are displayed converted to the local time zone, as required. The SAP system uses the local date, local time, and the time zone of the object to calculate the time stamp. The system stores the time stamp and the time zone of the object. If the user then calls the object with the time details again, the system will convert the UTC time information stored in the time stamp to the relevant local time. The system therefore stores the time information only in UTC and not the local time originally entered by the user. It is important to note that there is no uniform arrangement with regard to time zones in the SAP system. Whether and how time zones are taken into account, whether user-related, object-related, or not at all, depends on the individual implementations in the individual transactions. Note: Objects which are assigned to an address may get the time zone from the address (for example plants or warehouses). Therefore it is important to maintain the time zones of addresses in table ADRC (Business Address Services) accordingly © Copyright. All rights reserved. 223 Unit 6: Dealing with Aspects of Globalization Additional Information on Globalization ● ● For more information about time zones, see the online documentation for SAP S/4HANA 2021 (Product Assistance) area Enterprise Technology → ABAP Platform → Other Services → Services for Administrators → Time Zones (BC-SRV-TIM) and the online documentation for individual products (such as SAP CRM). For more information about Globalization, the following SAP Notes may be helpful: - - SAP Note 1375438 – Globalization Collection Note. SAP Note 198411 – Current data and information about time zones. This note contains the latest content concerning time zones. LESSON SUMMARY You should now be able to: ● 224 Outline the SAP globalization strategy © Copyright. All rights reserved. Unit 6 Lesson 2 Importing Additional Languages into an SAP System LESSON OVERVIEW This lesson explains the ability of the SAP system to support multiple languages simultaneously. The functionality includes the mechanism of language imports and language supplementation. Translations and address versions are also briefly discussed. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Explain the use of multiple languages in an SAP system ● Apply an additional language in an SAP system Multilingual Capability of the SAP System Depending on the release, SAP translates its products into about 40 different languages. With the help of report RSCPINST, customers can enable their users to log on in far more than 40 languages (even if SAP does not translate its products into these languages). The user's language is specified during logon by an entry in the logon screen, a default setting in a user master record, a language specified in SAP Logon options, or a system default. Before users can log on with the desired language, this language must be imported into the SAP system. Only German (DE) and English (EN) are included with a new installation of an SAP system. You can use transaction SMLT to import additional language packages. Note: Depending on the release of both SAP Software Provisioning Manager (SWPM) and the SAP system to be installed, you can also include the installation of additional languages into the installation procedure of your SAP system. If you select a language other than English, remember that the language is not fully translated. The text that is not translated must be provided using a supplemental language. The supplemental language must be a completely translated language. This can also be recursively configured so that you can use a number of supplemental languages, each of which supplements text that is not translated in the previously configured language. © Copyright. All rights reserved. 225 Unit 6: Dealing with Aspects of Globalization Note: The supplemental language should be aligned with the profile parameter zcsa/ second_language (which has the default value D). So if you want your supplementation language to be English, the value of this parameter should be changed to E. See also section 1.3 of SAP Note 1156507 – Language supplementation, RSREFILL, and client maintenance. Figure 135: Language-Dependent Objects There are many different language-dependent objects, as shown in the figure above. The objects are translated into different languages. Objects that are not translated use a supplemental language. Note: If you create a new language-dependent text, it exists only in the logon language. The text is not maintained for other languages. This can lead to inconsistent data. For example, certain text may not be displayed for users who log on with a different logon language (unless you translate it). Such users may also receive an error message such as Make an entry in all required fields. Depending on the object, problems that can arise are as follows: ● The text is displayed in a different language ● Nothing is displayed ● The user sees a warning or error message ● The transaction can no longer be executed Languages in the SAP System The extent to which individual languages need to be imported into the SAP system and to which they are translated, depends not only on economic, but also political and cultural 226 © Copyright. All rights reserved. Lesson: Importing Additional Languages into an SAP System criteria. User acceptance is an important aspect in these considerations. The following figure shows the language and translation considerations. Figure 136: Using Different Languages The categories of language and translation are as follows: English Only In this case, the system only supports English when printing. All reporting and communication is performed in English. The problem of language-dependent objects does not arise and no costs are generated for translations at customer side. The question is not only whether the users have any problems with the English language, but also whether English reporting, such as annual financial statements, is legally acceptable. Therefore, it is a solution for a relatively small number of countries that use English as an official language. Mainly English In this case, it is assumed that the users have a command of English. They log on in English, and the menus are also in English. However, reporting is done in the national language. If desired, language-dependent objects will be translated. Such a solution requires certain translation costs and a small amount of Customizing (for example, for units of measurement). The master data is available in the national language. Communication is also performed in the local language. Some English The master language of the system is English. However, users do not require significant knowledge of English. They log on in their local language, and use language-dependent objects, such as menus, input screens, and so on. Communication and all legally-relevant reporting are also performed in the national language. Text that is not translated is displayed using English as the supplemental language. There may be no translations in some areas. Additional text can be translated, if desired, but this is not necessary in many internal areas. There are periodic language supplements for newly generated text. Manual translations remain manageable. No English In this case, users have no knowledge of English or English is unacceptable due to political or cultural considerations. In such situations, not only must the corresponding national language be imported, but all other required text must be translated manually. It © Copyright. All rights reserved. 227 Unit 6: Dealing with Aspects of Globalization is not possible to use English as a supplemental language. This means continual translation activity in a multilingual system. This is necessary even if the system is only operated in one language, as new language-dependent texts are imported into the SAP system with every SAP Support Package and every upgrade, and it may be necessary to translate them. The level of SAP standard translations is different for different languages. This is because business requirements are not the same for different countries. In Japan, there is a strong demand to provide all language-dependent texts in Japanese. On the other hand, users in Scandinavia typically do not have this requirement. Some customers do not even offer their users the option to log on with a Scandinavian language – they use an English interface instead. Hence, a reduced translation scope is possible in some countries. Existing translation levels can be categorized as follows: ● ● ● ● ● User Interface: This translation level includes all elements of the SAP system that are necessary to operate it in the user's language (for example, screens, messages, menus, and interactive PDF forms). User Interface and Selected Help: This translation level includes all elements of the User Interface level, plus selected help (for example, F1 help for system messages, data elements, reports, and authorization profiles). User Interface, Selected Help, and Forms: This translation level includes all elements of the User Interface and Selected Help level, plus forms (for example, SAPscript forms and PDF print forms). Complete Translation: All application texts are available in the respective language. This includes, for example, Payroll-specific documentation and Release Notes. Complete Translation with Technical Texts: All language-dependent elements are available in the respective language. In some application areas, the translation level can deviate from the “global” translation level for a specific language. This is especially valid for industry-specific areas. Translation Tools The translation tools enable you to translate language-dependent text in ABAP objects. These tools belong to the software component SAP_BASIS and are therefore available in all ABAPbased SAP systems. The short text editor, which you access via transaction SE63, enables you to translate short texts (such as UI texts) with or without the aid of a translation memory (called the proposal pool). The long text editor, which you can also access via transaction SE63, enables you to translate long text objects such as F1 help texts. There are four possible approaches to translation: ● ● ● 228 For very small volumes of texts, you may wish to translate just individual objects in transaction SE63 (Translation Editor). At the other end of the scale, you can use transaction LXE_MASTER (Translation Administration) to set up the translation environment fully, which provides you with the best possible support for your project with features such as standard worklists and translation statistics (see figure below). You can create an on-the-fly worklist to translate objects in a specific transport request, transport object, or package without having to set up the translation environment at all. © Copyright. All rights reserved. Lesson: Importing Additional Languages into an SAP System ● Finally, you have the option of exporting texts from your SAP system to an XLIFF or Excel file for external translation. The appropriate translation strategy depends on factors such as the total volume of text to be translated and the number of target languages. Figure 137: Components of the Translation Workbench For more information on translation, see the SAP online documentation for SAP S/4HANA (product assistance), area Enterprise Technology → ABAP Platform → Other Services → Services for Information Developers and Translators → Setting Up and Coordinating Translation (BC-DOC-TTL) and Translation Tools for Translators (BC-DOC-TTL). Note: For the translation of Customizing, see section “Language-Dependent Customizing”. Hint: SAP Note 1375438 – Globalization Collection Note contains multiple attachments, for example a translation configuration guide. Language Import You use transaction SMLT (Language Management) to import language packages into an SAP system. The following figure shows the steps required for a language import. The steps are explained in more details in the remaining part of this lesson. © Copyright. All rights reserved. 229 Unit 6: Dealing with Aspects of Globalization Figure 138: Language Import Process For more information how to install a new language and how to finish the post processes after you have imported the language packages, see SAP Notes 1935497 – How to finish a language import by SMLT and 3156438 – SMLT: Language installation - all steps. Configuration of Required Languages Using Report RSCPINST Before starting the language import, you must configure the required languages. To do so, start the report RSCPINST using transaction SA38 or I18N (I18N Menu → I18N Customizing → I18N Language Configuration). Here, choose Add Language to select the country code for each language required, and choose Check. When no further preparation is required, finally choose Activate. Hint: For more information about the report RSCPINST, see SAP note 42305 – RSCPINST (I18N configuration tool). Note: As of release 7.50 , the profile parameter zcsa/installed_languages shall not be set in any profile file. Program RSCPINST shall be used instead. See SAP Note 2185213 – Configuration of logon languages and profile parameter zcsa/ installed_languages. As of SAP S/4HANA Server 1909, this parameter is not shown in transaction RSPFPAR any more, as of SAP S/4HANA Server 2020, this parameter is not used any more. Importing the Language Package The following figure shows the language import screen in transaction SMLT. 230 © Copyright. All rights reserved. Lesson: Importing Additional Languages into an SAP System Figure 139: Transaction SMLT: Language Import During an import of a language package or during language supplementation, the SAP system locks language management activities for the relevant language. The system rejects all other activities to be performed for a locked language. Other languages are not affected by this, meaning that parallel actions that operate on other languages can be performed. SAP delivers SAP Support Packages to correct errors that occur in SAP transactions. SAP Support Packages often contain language-dependent data, such as message texts, ABAP text pool entries, or screen texts. After importing an SAP Support Package (for example with transaction SPAM), the translated texts for these objects have the newest status for all languages that exist in the system. Problems occur when an additional language is imported from the language media file(s) into a system in which SAP Support Packages have already been installed. The language media file(s) was created before the first SAP Support Package was shipped, and the objects in the SAP Support Packages are only provided with translations for the languages already imported. Importing a language subsequently places the objects contained in the SAP Support Packages in an undefined status with regard to translation. For example, texts can be obsolete, and therefore incorrect, or completely missing (see SAP note 352941 – Consultation: Languages and Support Packages).Therefore you subsequently need to import the language data contained in the SAP Support Packages to achieve a consistent language status. Note: You must classify a language to make it known in the system before importing a language package supplementing the language. To classify languages, perform the following steps: 1. In transaction SMLT, choose Language → Classify from the menu. 2. In the dialog box that appears, select the language to be imported and the associated supplementation language. © Copyright. All rights reserved. 231 Unit 6: Dealing with Aspects of Globalization Note: To enable logging on in the relevant languages, the parameter zcsa/ installed_languages is checked which – as of AS ABAP 7.50 – is maintained with the help of report RSCPINST. As of SAP S/4HANA Server 2020, this parameter is not used any more, however. You can display the current settings for a language at any time by choosing Language Information for the language in question on the initial screen of transaction SMLT. If no supplementation language was specified when classifying a language, it is possible to do it at any time. Use transaction SMLT to import an additional language package. English and German are always completely available in newly installed systems. To import an additional language package, perform the following steps: 1. For the language with an additional package to be installed, from the menu choose Language → Import Package. 2. In the dialog box that appears, specify the path to the language package. Choose Find Package(s). The system searches for available packages in the specified path. Note: The system indicates whether a package can be imported by displaying a green, yellow, or red traffic light next to the relevant package. You can display additional information by selecting the traffic light. A green light means that all import conditions have been fulfilled, yellow means that warnings have occurred, and packages with red lights cannot be imported due to checks that revealed errors. 3. Select one or more language packages with green or yellow lights for import by selecting the corresponding line(s) in the list. 4. After specifying the start time and, if desired, the target server, you can import one or more language packages by choosing Execute. This schedules a background job that performs the required steps. As a result, an import action is created for the relevant language on the overview screen of transaction SMLT, which you can manage and monitor by choosing the relevant icons. Hint: You can restart terminated imports by choosing the Restart button in transaction SMLT. Note: You can import multiple language packages in parallel. Depending on the capacity of your SAP system, importing multiple language packages simultaneously can cause a greater workload than importing them sequentially. 232 © Copyright. All rights reserved. Lesson: Importing Additional Languages into an SAP System After importing the language packages, you must import the language data contained in Support Packages. To do so, select the affected language in transaction SMLT and (from the menu) choose Language → Special Actions → Import Support Packages. To perform the relevant actions, you require the following authorizations in the CTS_LANFKT field of the S_CTS_LANG authorization object: ● ADMI: Administration in the language transport area, especially for classifying an additional language ● INST: Importing a language package ● SUPL: Supplementing a language ● SHOW: Display authorization; you cannot call transaction SMLT without this authorization All authorizations required for language transports are included in the SAP_BC_TRANSPORT_ADMINISTRATOR role that is delivered by SAP. The authorizations are checked in such a way that it is not necessary to adjust them in a language transport after an upgrade. Language-Dependent Customizing In the case of a language import with translation gap supplementation, objects from SAP standard are imported and supplemented. However, in the case of language-dependent Customizing text, supplementation is more difficult. This text might not have been translated into all languages and now has to be supplemented. Information about language-dependent text is presented in the following figure. Note that most Customizing texts are clientdependent. Figure 140: Language-Dependent Texts in Customizing Customizing data is the data created at the customer site in the context of Customizing. The Customizing data for a customer client is not overwritten during a language import or upgrade: the data is always imported only into client 000. The reason for this is that Customizing data becomes the responsibility of the customer and must not subsequently be overwritten by data from SAP. This also applies, without restrictions, to translations. However, it is sometimes useful for the customer to refresh the template data and default © Copyright. All rights reserved. 233 Unit 6: Dealing with Aspects of Globalization settings with current translations from SAP. New clients should only be copied from client 000 after this client has been updated with all required languages. Note: For more information, see SAP Note 1164216 – T005, T005S Content which contains information on countries and regions as an example. The following options are two ways to update a translated language for customizing an existing customer client: ● ● Using tools Manual translation (for example by choosing Goto → Translation from the Customizing activity in SAP Reference IMG) Supplementing Customizing Using Transaction SMLT To fill translation gaps that exist in a language, always perform the language supplementation after the language import. The supplementation actions are client-dependent. The language supplementation is performed in the client in which you are logged on. If you use multiple clients, you must perform the language supplementation explicitly in each production client. You can access the text stored in cross-client database tables from all clients. The default setting determines that cross-client tables are supplemented if you are logged on in client 000. Caution: Do not supplement languages in a translation system. Supplementing Customizing using transaction SMLT offers two options: ● Basic mode ● Expert mode Based on feedback from experienced consultants, the expert mode is the recommended procedure because fewer supplementation-related problems have been encountered. For this, proceeds as follows: 1. When supplementing a logon client, first manually maintain it using Client Maintenance (in transaction SMLT, select the line of the language in question and (from the menu) choose Language → Special Actions → Client Maintenance). After confirming a popup, texts in customizing tables will be copied in insert mode from client 000 to the current client . 2. For the language that is to be supplemented, choose Language → Special Actions → Supplementation (Expert). 3. In the dialog box that appears, enter a description of the supplementation. The description is used to identify the supplementation on the overview screen of transaction SMLT. 4. In the Selection Conditions group box, you may specify conditions for selecting the quantity of tables to be supplemented. The fields are predefined in accordance with SAP recommendations and depending on the logon client. However, you can make changes as appropriate. To do this, choose Select. 234 © Copyright. All rights reserved. Lesson: Importing Additional Languages into an SAP System 5. After you have specified a start time and, if desired, a target server, supplement the language by choosing Execute. A background job is scheduled, which performs the required steps. An entry is made for the supplementation on the overview screen of transaction SMLT, which you can manage and monitor by choosing the relevant icons. You can identify the status of the action from the icon which appears at the start of the relevant line. To display more information about the supplemented tables at any time, see the supplementation log. Each line of the log contains the table name, status, client, and table supplementation mode first. You then see statistics about the number of processed, inserted, and modified lines. A return code and the table delivery class is also displayed. A green, yellow, or red traffic light appears for each table that has been completely processed, depending on the return code. To display the meaning of the return codes, choose the F1 Help for the return code column of the table. The following rules apply to define supplementation logic: ● ● ● Languages with a translation level 1 cannot be supplemented. If, however, these languages need to be supplemented, see SAP Note 111750 – Supplementing German with English (Customizing). It is necessary to define a supplementation language for every language in the system (except languages with a translation level 1). You can only supplement text from a language with a translation level 1 or from a language that has already been supplemented with a language with a translation level 1. Note: Check the profile parameter zcsa/second_language that specifies which language is used as secondary language (that is, the language that is used in case of missing translation). The default value for this parameter is D. The supplementation language should be aligned with this parameter. So, if you want your supplementation language to be English, change this parameter to E. When supplementing (client-specific) customizing text using transaction SMLT, you can choose from the following options (in expert mode, you can choose for every table independently): Insert only (Mode I) Any gaps in the foreign language are filled with the supplementation language. This mode does not change any existing entries. Combined with RSREFILL (Mode 1) This mode copies texts in the same language from client 000 before the supplementation (see mode I above). This can overwrite previously supplemented texts. The texts from client 000 are copied only if the corresponding texts match in the supplementation language in the local client and in client 000 and if entry in the reference language is identical in both clients. Therefore a reference language is required as extra information. The comparison to the reference language ensures that only semantically meaningful text lines are copied. You can use this mode for client-specific Customizing tables only. Combined with client maintenance (Mode 2) © Copyright. All rights reserved. 235 Unit 6: Dealing with Aspects of Globalization This mode also copies texts from client 000 before the supplementation. In contrast to mode 1 above, in this case, however, all texts missing or supplemented in clients different from 000 are copied. This mode is also only available for client-specific Customizing tables. Compared to mode 1, more text lines in the target language are copied from client 000 to the current client but the risk of copying semantically incorrect lines increases. Update allowed (Mode U) This mode also overwrites existing entries. You should therefore use this mode for special cases on certain tables, since it overwrites entries permanently. Figure 141: Language Supplementation You will find a general description of supplementation in SAP Note 1156507 – Language supplementation, RSREFILL and client maintenance. If you want to check an existing language import, read SAP Note 1159021 – Report RSTLAN_LANGUAGE_CHECK. Hint: If the text in the role menus (SAP Easy Access) does not appear in the required language after the upgrade or the import of a new language, see SAP note 538328 – Missing texts in user menu. This note contains the Z_ROLE_LANG_ADD report which can be used to replace missing transaction and folder text. Example Assume that the following Customizing text already exists: Table 6: Example of Supplementation of Customizing Texts 236 Client Language Description 000 EN Company code 000 DE Buchungskreis © Copyright. All rights reserved. Lesson: Importing Additional Languages into an SAP System Client Language Description 000 ZZ Bucki 100 EN Comp. code 100 DE Buchungskreis 100 ZZ <N/A> The language-dependent text for the language ZZ in client 100 is missing. Assume that language ZZ is to be supplemented with DE and that EN is selected as the reference language. Then the supplementation behaves differently, as follows: ● ● ● Combined with RSREFILL (Mode 1): Since the text of reference language EN in client 000 is not the same as the text of language EN in client 100, the text of language ZZ is not copied from client 000 to client 100. The text of supplementation language DE is therefore copied from client 100. Result: Buchungskreis. Combined with Client Maintenance (Mode 2): No reference language is compared. The text of language ZZ is therefore copied from client 000. Result: Bucki. Insert only (Mode I): The text from supplementation language DE in client 100 is simply copied. Result: Buchungskreis. Manual Translation Due to connections between the translation tools and the Change and Transport System, it is possible to create Customizing text in a unique system, include it in transport requests, and distribute it in the system landscape in a targeted way. You can use transaction SE63 to translate the remaining Customizing text and to record the translation activities in transport requests. You can then distribute the transport requests in the system landscape using the Transport Management System (TMS) (transaction STMS). Deleting the Language Load If language-specific text has been imported, filled, or deleted (for example, data element text, screen text, or menu entries) and the obsolete or deleted text still appears on screen, the reason might be that only the text in the database has been changed. Usually, such problems should not occur because all language transport programs delete or invalidate the runtime objects when text has been changed in the database. This means that the system regenerates the load with the modified text automatically when the screen is next accessed. In rare cases, however, the load is not deleted completely or correctly and the obsolete text is still displayed. To solve this problem, run report RSLANG20. Here you can select the load types to be reset on the selection screen. For more information about the report, see SAP Note 110910 – Deletion of language load. Note: For SAP S/4HANA, see also SAP Note 3082111 – General issues with displaying of Fiori Tile Text like Tiles and Subtitles. . © Copyright. All rights reserved. 237 Unit 6: Dealing with Aspects of Globalization Address Versions Figure 142: Storing Address Versions The worldwide use of SAP software means that different notations must be used. The international address versions are attributes of the Business Address Services that allow the printing of addresses in different country-dependent scripts. “Different scripts” are not country-specific differences within character sets, such as umlauts in German or accents in French, but rather scripts that consist of a completely different character set. The figure above shows how storing address versions looks in the system. When printing addresses, note that the script type of the addresses to be printed is determined neither by the current logon language, nor by the logon language at the time when the address was created. The international address versions allow you to print the same address in different fonts (versions), depending on certain parameters. A Japanese address should be output in Kanji if the country of the sender is also Japan, and in international script if the country of the sender is not Japan (see SAP Note 316331 – International address versions and its attachment). The default version of an address can, in principle, be created in any of the permitted or available script types. However, it is useful to create all default versions of addresses within an installation in the same script to achieve uniform reporting. Address versions are automatically available in all applications that use Business Address Services. Address versions must match the relevant default versions semantically and only represent one way of creating an address in multiple script types. Therefore, the details of the address version must be consistent. For this reason, numerical fields of the address (such as building number, postal code, and telephone numbers) are offered in the default version as default values in the additional version. Changes to these fields are reflected in the default version of the address. Only text fields can be maintained differently in the different versions. Additional Information on Importing Additional Languages into an SAP System For information about delivered languages, see the SAP Support Portal at http:// support.sap.com/globalization (or its successor). In addition, the following SAP Notes might be helpful: 238 © Copyright. All rights reserved. Lesson: Importing Additional Languages into an SAP System ● SAP Note 1375438– Globalization Collection Note ● SAP Note 73606 – Supported Languages and Code Pages ● SAP Note 533888 –Example for Language Import and Error Specification ● SAP Note 18601 – Frequently asked questions on language import ● SAP Note 43853 – Consulting: Language-dependent and client-specific C-tables ● SAP Note 980626 – SE63 Translation Transport ● SAP Note 195442 – Language import and Support Packages ● SAP Note 352941 – Consultation: Languages and Support Packages ● SAP Note 2772594 – How to determine the supported languages for an Add-on or Support Package ● SAP Note 1000586 – How to analyze missing translations / missing texts ● SAP Note 1156507 – Language supplementation, RSREFILL and client maintenance ● SAP Note 1935497 – How to finish a language import by SMLT ● SAP Note 2185213 – Configuration of logon languages and profile parameter zcsa/ installed_languages ● SAP Note 2068675 – Extend Language Configuration [VIDEO] ● SAP Note 2446912 – SMLT: Guided Answer for language installation and troubleshooting ● SAP Note 2560644 – How to modify and customize object translation ● SAP Note 2196392 – Common errors/warnings during language import ● SAP Note 1508122 – Installation and troubleshooting of languages in SAP system ● ● SAP Note 2456868 – Troubleshooting language installation and translation issues - CTSLAN-WIKI SAP Note 3114994 – Installation of Languages on SAP systems SAP Education Course ADM340 – Setting up Customer Translation Projects discusses customer translation requirement, advises customers on the appropriate translation strategy, discusses how to set up a translation project accordingly and how to configure the translation environment. SAP Community blog Installation of Languages on SAP systems (https://blogs.sap.com/ 2012/12/10/installation-of-languages-on-sap-systems/ describes language installation on SAP systems step by step). For bi-directional texts – Left To Right and Right To Left, see the wiki page https:// wiki.scn.sap.com/wiki/display/ABAP/Bi-directional+texts+-+Left+To+Right+and+Right+To +Left. Finally, the WIKI on Language Transport (https://wiki.scn.sap.com/wiki/display/SL/ Language+Transport) is the place for resources and known issues related to the installation of language packages in an SAP system. © Copyright. All rights reserved. 239 Unit 6: Dealing with Aspects of Globalization LESSON SUMMARY You should now be able to: 240 ● Explain the use of multiple languages in an SAP system ● Apply an additional language in an SAP system © Copyright. All rights reserved. Unit 6 Lesson 3 Addendum: Introducing Unicode LESSON OVERVIEW The lesson first explains the meaning of the terms code page and Unicode. Then it covers different aspects of a Unicode conversion in the context of AS ABAP based SAP systems. LESSON OBJECTIVES After completing this lesson, you will be able to: ● Define the terms code page and Unicode ● Outline the procedure of a Unicode Conversion Prerequisites and Terms SAP translates its AS ABAP based products into approximately 40 languages (in AS ABAP 7.00). However, in non-Unicode systems, due to the technical limitations of code pages, only certain language combinations can be used without restrictions. The options exist as follows: ● Single standard code pages, which support certain numbers of languages: The number and combination of the languages supported on one code page cannot be changed, but there are no restrictions for users. Hint: As of AS ABAP 7.50, single code page systems are no longer supported. For details, see SAP Note 73606 – Supported Languages and Code Pages (and its attachments) and SAP Note 2033243 – End of non-Unicode Support: Release Details. ● Unicode, which enables just one single large code page to be used. Unicode includes all the characters of the languages that are relevant for business worldwide. © Copyright. All rights reserved. 241 Unit 6: Dealing with Aspects of Globalization Hint: As of AS ABAP 7.00, Unicode is used for all new installations. As of SAP_BASIS 7.50, non-Unicode kernels are no longer offered. Therefore, as of AS ABAP 7.50, only Unicode-based SAP systems are supported. For details, see SAP Note 2033243 – End of non-Unicode Support: Release Details. Unicode is the mandatory system type for SAP systems that use Java applications (for example, Java EE applications, Web Dynpro Java applications) and SAP ABAP systems that communicate using Java components (for example, using the SAP Java Connector) and for all SAP applications running in the cloud (such as SAP Success Factors of SAP Business Technology platform). For more information, see SAP Notes 975768 – Deprecation of Java features with non-Unicode Backend and 1322715 – Unicode FAQs. The character set describes the storage of a character. The options are single-byte character sets (one byte per character), double-byte character sets (one or two bytes per character), and Unicode character sets (one, two, or more bytes per character). The code page determines the assignment of a character to a hexadecimal value. Different standards are available with regard to this, such as ISO and Microsoft. SAP uses its own four-digit descriptions such as 1100 and 8500 (for non-Unicode). The locale is a set of rules for a language. It describes the conversion of lowercase characters to uppercase characters, if they exist. It is also responsible for national alphabetical sorting. The name of the locale is constructed from <language>_<country>.<code page>, such as ru_RU.ISO88595 for Russian, Russia, code page ISO8859-5. The common character set is shared by all code pages. It contains the seven-bit US ASCII characters (US7ASCII), that is, lowercase and uppercase letters from A-Z, the digits 0-9, and the special characters ” . , + - ( ) < > : * (see the following figure). Figure 143: Standard Code Page in an SAP System The following table shows languages that are supported for non-Unicode systems (see also table T002 in the SAP system). Languages that use the same code page can be used together with no restrictions. English only requires seven-bit US ASCII characters, and can therefore be 242 © Copyright. All rights reserved. Lesson: Addendum: Introducing Unicode combined with any other code page. However, English can only ever be used with one code page at the same time. Table 7: Supported Languages and Their SAP Code Page Language ISO 639-1 Language Code SAP Language Code SAP Code Page (ASCII) Afrikaans AF a 1100, 1610 Arabic AR A 8700 Bulgarian BG W 1500 Catalan CA c 1100, 1610 Chinese ZH 1 8400 Chinese (traditional) ZF M 8300 Croatian HR 6 1401 Customer Reserve Z1 Z N/A Czech CS C 1401 Danish DA K 1100, 1610 Dutch NL N 1100, 1610 English EN E 1100 Estonian ET 9 1900 Finnish FI U 1100, 1610 French FR F 1100, 1610 German DE D 1100, 1401, 1610 Greek EL G 1700 Hebrew HE B 1800 Hungarian HU H 1401 Icelandic IS b 1100 Indonesian ID i 1100, 1610 Italian IT I 1100, 1610 Japanese JA J 8000 Korean KO 3 8500 Latvian LV Y 1900 Lithuanian LT X 1900 Malay MS 7 1100, 1610 Norwegian NO O 1100, 1610 Polish PL L 1401 Portuguese PT P 1100, 1610 © Copyright. All rights reserved. 243 Unit 6: Dealing with Aspects of Globalization Language ISO 639-1 Language Code SAP Language Code SAP Code Page (ASCII) Romanian RO 4 1401 Russian RU R 1500 Serbian SR 0 1500 Serbo-Croatian SH d 1401 Slovak SK Q 1401 Slovenian SL 5 1401 Spanish ES S 1100, 1610 Swedish SV V 1100, 1610 Thai TH 2 8600 Turkish TR T 1610 Ukrainian UK 8 1500 When different languages that belong to the same code page are used at the same time in an SAP system, problems do not occur due to the character set. A Code Page for All Characters: Unicode In the past, Multi-Display, Multi-Processing (MDMP) and different character sets could be used individually to cover every language that is relevant for business. However, difficulties arose when you wanted to mix texts from different incompatible character sets in one SAP system. Exchanging data between systems with incompatible character sets can also lead to completely undefined situations. Figure 144: Unicode: Example for Supported Languages The solution is to use a standard that contains all characters of all languages that are relevant for business. This standard is called Unicode (ISO/IEC 10646) and consists of one or more bytes for each character. Every character has a unique representation (known as “Unicode 244 © Copyright. All rights reserved. Lesson: Addendum: Introducing Unicode code point” with notation: U+nnnn where nnnn are hexadecimal digits). Using Unicode brings significant advantages: ● ● ● ● ● ● The entire Internet is based on Unicode so Unicode is a basic prerequisite for international competitiveness. SAP users who work in any number of languages can work in a centrally installed system that covers business processes internationally. Even companies with different distributed systems want to prepare consolidated worldwide corporate information. Without Unicode, this is only possible to a limited extent. Multiple languages can be used simultaneously on one front end. Cross-application data exchange is possible without data loss due to incompatible character sets. Unicode is used by Cloud solutions. Figure 145: Unicode Allows Languages from Different Code Pages on One Screen Unicode is an international standard that assigns a unique number to every character from the different languages and therefore makes the presence of multiple code pages in one installation superfluous. With Unicode, all languages from the Unicode standard can be used without restrictions. As the standard encoding of all Internet communication (HTML, XML, Java, and so on), Unicode improves data communication across the boundaries of system landscapes and paves the way for closer integration of ABAP with these Internet technologies. At the same time, Unicode eliminates the risk of data loss due to code page incompatibilities. Unicode is supported for all releases of SAP systems running on AS ABAP that are in maintenance. © Copyright. All rights reserved. 245 Unit 6: Dealing with Aspects of Globalization Figure 146: Communication With and Without Unicode Using non-Unicode code pages can cause restrictions, particularly when interfaces (such as ALE, EDI, BAPI, RFC, CPI-C, and XML) are used. While a Unicode system can receive all characters, a non-Unicode system may process characters from another code page incorrectly. The interface of a non-Unicode system should therefore be restricted to receiving data from its own code page only. Note: In the course of a system landscape conversion to Unicode, you will be temporarily faced with a mixed landscape of Unicode and non-Unicode systems. In addition, you may have third-party software which does not support Unicode at all. As a special service, SAP communication interfaces enable communication between Unicode and Non-Unicode partners. But nevertheless, SAP strongly recommends converting all systems as soon as possible to Unicode. For more details, see SAP Note 1990240 – Support of mixed landscapes (Unicode <=> NonUnicode). Note: Concerning the operation of SAP Fiori apps in a system landscape with a nonUnicode back end and a Unicode user interface (UI) front-end server, see SAP Note 1978213 – SAP Fiori UI and non-Unicode back end. SAP's aim is complete internationalization with Unicode and better integration of SAP technology with other Internet technologies. All languages defined in ISO-639 and ISO 639-2 can be used as language tags in a Unicode system. It means that characters from practically any language and any script can be stored in the database. However, this does not mean that there are localized versions or translations for all languages. For more information, see SAP note 73606 – Supported Languages and Code Pages and SAP Note 895560 –Support for languages only available in Unicode systems. Unicode can be implemented by different character encodings. Among others, the Unicode standard defines UTF-8 and UTF-16: 246 © Copyright. All rights reserved. Lesson: Addendum: Introducing Unicode UTF-8 uses one byte for the first 128 code points, and up to 4 bytes for other characters. The first 128 Unicode code points are the ASCII characters; therefore an ASCII text is a UTF-8 text. UTF-8 is widely used by websites. ● UTF-16 uses two bytes (16 bits) for each character to encode the first 65,536 code points and a 4-byte encoding for the other code points. ● As of 2020, approximately 144.000 characters are defined in the Unicode standard, with additional space for more than a million characters. Characters may be represented in bigendian or little-endian format, depending on whether bits or bytes or other components are ordered from the big end (most significant bit) or the little end (least significant bit). The following table shows the representation of some characters in the different UTF formats: Table 8: Unicode: Representation of Characters in UTF-8 and UTF-16 – Examples Character Unicode Codepoint UTF-16 Big-Endian UTF-16 Little-Endian UTF-8 a U+0061 00 61 61 00 61 ä U+00E4 00 E4 E4 00 C3 A4 α U+03B1 03 B1 B1 03 CE B1 U+3479 34 79 79 34 E3 91 B9 What Does Unicode Mean for an AS ABAP-Based SAP System? For being Unicode-enabled, ABAP programs must be changed whenever an explicit or implicit assumption is made about the internal length of a character. A new level of abstraction is reached that allows the same programs to run both in a non-Unicode system and in a Unicode system. The average character length increases in the database when Unicode is used (compared to the use of the Latin-1 code page alone). Therefore the hardware requirements also increase with regard to CPU, RAM, database size, and network. The following figure summarizes the hardware requirements (compared to a non-Unicode system based on a 1 byte code page). © Copyright. All rights reserved. 247 Unit 6: Dealing with Aspects of Globalization Figure 147: Unicode Hardware Requirements Statistically, you should expect a Unicode system to have a database that is up to 30% larger (depending on the Unicode representation, UTF-8 or UTF-16). This has direct consequences for the time required for a data backup or a data restore in the case of an error. The larger quantity of data means that to maintain the performance of the system, you should expect to provide around 30% to 50% more CPUs, main memory (RAM), network bandwidth (between database server and instances server), and so on. Although the additional hardware requirements for Unicode-based SAP systems are sometimes seen as a disadvantage, the obvious advantage is that the SAP system can understand all the incoming characters, as seen in the figure “Communication With and Without Unicode” above. Unicode Conversion It is relatively easy to convert an SAP system with just one code page (Single Codepage system) to Unicode. It is considerably more difficult to migrate an MDMP system. For this reason, the system should be converted to Unicode at an early stage, before different code pages come into play. The following figure shows the main phases of a Unicode conversion. 248 © Copyright. All rights reserved. Lesson: Addendum: Introducing Unicode Figure 148: Unicode Conversion Process As of SAP Web AS 6.10 (released in 2001), ABAP supports multi-byte coding of characters in Unicode. Before that, only character sets that were based on single-byte code pages such as ASCII and EBCDIC or double-byte code pages such as SJIS and BIG5 were used. The Unicode conversion affects all statements for which an explicit or implicit assumption is made about the internal length of a character. Programs that exploit the Unicode-enablement of the runtime environment must be checked for such statements and converted if necessary. A Unicode-enabled program that has been converted behaves the same way in Unicode and non-Unicode systems. Programs can be prepared in a non-Unicode system before a Unicode system is installed. For this purpose, transaction UCCHECK exists in the SAP system to support this check. Transaction SPUMG prepares the database tables of a non-Unicode system. Note: In an MDMP system, multiple code pages are used simultaneously. The logon language determines the code page that is active for each user. As the active code page changes again and again, tables that contain non-ASCII characters must have a language key to ensure that data is processed with the correct language. This is not, however, the case for all tables. The problem then is to determine the code page from which individual pieces of data originate. The following figure shows the default conversion method which is to export the entire database using R3Load, create a new Unicode database and then import the database using R3Load again. SAP Software Provisioning Manager (SWPM) is the tool to control R3Load and perform the Unicode conversion. © Copyright. All rights reserved. 249 Unit 6: Dealing with Aspects of Globalization Figure 149: Unicode Conversion (without Upgrade) During the Unicode conversion of an SAP database, text data from the code pages of the original system is converted to Unicode. In an MDMP system, language key information must be used during the conversion to avoid a wrong conversion. It is possible that non-ASCII characters have been entered in tables without language keys, or that the language keys are not available, for example in tables created by customers. Converting tables of this type represents a problem. The phases of preparation and postconversion processing are used to avoid data loss in these situations. The prerequisites for a Unicode conversion are as follows: ● ● The target release of the SAP system you want to use must be based on Unicode. Unicode is supported only for SAP Web AS 6.20 and above. Older systems must first be upgraded to at least SAP Web AS 6.20; the preparation phase can be performed as of SAP Web AS 6.10. The process itself is as follows (see figure “Unicode Conversion Process” above): 1. Conversion preparation: Collect information about the database (language keys, tables, and so on). This information is stored in a control file for each table in the database, and is then stored in the control table. The conversion tools read the information from the control table during the export and import. The information is also used during postconversion processing. By performing this process, you prepare the database export and create the control files for all tables in the database. The control files contain the information that is required to ensure a consistent conversion to Unicode. The descriptions are stored in the control table. Use transaction SPUMG to prepare for the conversion. To prepare for the conversion, divide the tables into a number of categories: ● 250 Code page-dependent with language key: The table consists of text data that contains non-ASCII characters. © Copyright. All rights reserved. Lesson: Addendum: Introducing Unicode - - ● Dependent on one code page: All rows in the table have language keys belonging to languages that use the same code page. The entire table can be converted with one code page. Dependent on multiple code pages: The rows in the table contain language keys belonging to languages that use different code pages. The table must be converted with the help of multiple code pages. Code page-dependent with no language key: The table consists of text data that contains non-ASCII characters. The text data is therefore language-dependent. The language key needs to be specified. Hint: System vocabulary: Words from code page-dependent tables without language keys are entered in the system vocabulary. The scanner then searches for the words in tables with language keys to determine the correct code page. ● ASCII: The table consists only of text data that contains ASCII characters. The table is not language-dependent and it is therefore irrelevant which code page is used for the conversion. Caution: Whereas no significant problems exist with single code page systems, this is not the case with MDMP systems. In MDMP systems, you cannot automatically determine the code page in which each database record was entered. This means that time-consuming manual preparation is sometimes required (for example, by native speakers of the respective languages) to identify the language (and thus the code page) in which the individual database records were created. 2. Conversion to Unicode: The database is exported, deleted, reinstalled as a Unicode database, and re-imported from the export file. The actual conversion takes place during the export. Information about the conversion is stored in a control table that is read by R3Load during the export. The option of splitting tables into categories is only of interest for MDMP conversions and not for single code page conversions. 3. Post-conversion processing: Use the information collected during conversion preparation to repair data that was not converted correctly. To do so, use reports provided by SAP (such as UMG_ADD_POST_STEP). In addition, for example you should check the RFC Destinations in transaction SM59 to avoid problems with TCP/IP connections. Most known errors concerning the Unicode conversion are described in the Unicode Conversion Troubleshooting Guide which is attached to SAP Note 765475 –Unicode Conversion: Troubleshooting. Unicode and Upgrading SAP no longer supports blended code pages for new installations. As of SAP ERP 6.0 (SAP ECC 6.0), existing MDMP configurations and blended code pages that are part of an MDMP configuration are no longer supported. They must be converted to Unicode before or during © Copyright. All rights reserved. 251 Unit 6: Dealing with Aspects of Globalization the upgrade. In addition, as of AS ABAP 7.50, SAP systems require a Unicode Kernel which means that non-Unicode SAP systems are not supported as of AS ABAP 7.50. The following figure shows the supported code page configurations depending on the SAP R/3 / SAP ECC system release used. For more information, see SAP Notes 79991 – MultiLanguage and Unicode support of SAP applications, 540911 – Unicode restrictions for R/3 Enterprise, ECC 5.0, ECC 6.0 and 2033243 – End of non-Unicode Support: Release Details. Figure 150: Code Page Support in Different SAP Releases (Example) The conversion of single code page (SCP) SAP systems to Unicode is relatively simple and requires only a few preparatory steps. The conversion of SAP MDMP systems is a complex procedure that should not be undertaken without consulting the Unicode Conversion Guide. Support from an experienced SAP consultant is also recommended. The following list shows possible conversion paths. Supported Unicode Conversion Paths ● ● ● Unicode conversion without upgrade: start release is between (and including) SAP Web AS 6.20 and AS ABAP 7.40. Use the Database Migration Option (DMO) of Software Update Manager (SUM): target release is AS ABAP 7.40. Combined Upgrade & Unicode Conversion (CU & UC): target release is AS ABAP 7.40 and lower. Note: If possible, start the upgrade and the Unicode conversion as separate projects at different times. From a technical point of view, Unicode conversions and upgrades are two separate areas that are initially independent of one another. If the release of your respective SAP system already supports Unicode, you can carry out a Unicode conversion independent of an upgrade. For more information, see SAP note 551344 – Unicode Conversion Documentation. 252 © Copyright. All rights reserved. Lesson: Addendum: Introducing Unicode The question regarding Unicode conversion is often asked as part of an upgrade planned for one of your SAP systems. If your system is a single code page system and your target release supports Unicode, you should first carry out a Unicode conversion and then upgrade to your target release as an independent project. The Software Update Manager (SUM) is equipped with the feature Database Migration Option (DMO). This option helps you avoid landscape changes (SID, host name). The SUM tool combines all relevant steps for the in-place migration to SAP HANA: Unicode conversion, upgrade, and migration. Further benefits include the reduced business downtime and the remaining consistency of the source database so that a fast fallback is possible. Note: If the target release contains SAP_BASIS 7.50 and above, you must perform the Unicode conversion standalone, before starting SUM. Figure 151: SUM: Database Migration Option (DMO) If you cannot follow this procedure, you can also perform the upgrade and the Unicode conversion together during downtime (Combined Upgrade and Unicode Conversion). This allows you to reduce the downtime of the production system, which can be longer if you carry out the upgrade and conversion one after the other, as seen in the following figure. © Copyright. All rights reserved. 253 Unit 6: Dealing with Aspects of Globalization Figure 152: Combined Upgrade and Unicode Conversion Hint: The combined upgrade with Unicode conversion is not available for a target release based on AS ABAP 7.50 and higher. For more information, see SAP Note 928729 – Combined Upgrade & Unicode Conversion (CU & UC). Additional Information on Unicode For more information on Unicode, the following SAP notes may be helpful: ● ● ● ● ● ● SAP Note 765475 –Unicode Conversion: Troubleshooting (including a troubleshooting guide as attachment) SAP Note 1319517 – Unicode Collection Note SAP Note 551344 – Unicode Conversion Documentation (including Unicode Conversion Guides for MDMP systems) SAP Note 1322715 – Unicode FAQs. SAP Note 1051576 – Conversion of Single Code Page Systems to Unicode (including Unicode Conversion Guides for single code page systems). Note that the Unicode Conversion Guide is published in a separate version for all recent AS releases. ● SAP Note 928729 – Combined Upgrade & Unicode Conversion (CU & UC) ● SAP Note 2602070 – Troubleshooting Unicode Conversion and I18N issues: BC-I18-WIKI. ● 254 SAP Note 79991 – Multi-Language and Unicode support of SAP applications and 540911 – Unicode restrictions for R/3 Enterprise, ECC 5.0, ECC 6.0 about Unicode availability SAP Note 814707 – Troubleshooting for RFC connections Unicode/non-Unicode lists problems with RFC data transfer between Unicode and non-Unicode systems © Copyright. All rights reserved. Lesson: Addendum: Introducing Unicode LESSON SUMMARY You should now be able to: ● Define the terms code page and Unicode ● Outline the procedure of a Unicode Conversion © Copyright. All rights reserved. 255 Unit 6: Dealing with Aspects of Globalization 256 © Copyright. All rights reserved. Unit 6 Learning Assessment 1. Which transaction can you use to check and import a local version into a system as an add-on? Choose the correct answer. X A SMLT X B SE63 X C SAINT X D SPAM 2. What must be taken into account when importing an additional language into an SAP system? Choose the correct answers. X A After the actual import of the language package, language-dependent texts from Support Packages that have already been imported must also be imported using transaction SMLT. X B The Support Packages that had already been imported into the SAP system at the time of the language import must be completely re-imported using transaction SPAM. X C Languages that are not completely translated require a supplementation language. X D All languages are already available in the database of the SAP system right after installation and transaction SMLT is used to make them known in the system. 3. To prepare for the Unicode conversion, the database tables must be prepared in transaction SPUMG and customer developments must be checked in transaction UCCHECK before the conversion. Determine whether this statement is true or false. X True X False © Copyright. All rights reserved. 257 Unit 6 Learning Assessment - Answers 1. Which transaction can you use to check and import a local version into a system as an add-on? Choose the correct answer. X A SMLT X B SE63 X C SAINT X D SPAM Correct. You can use SAP Software Add-On Installation Tool (transaction SAINT) to check and import a local version into an SAP system. 2. What must be taken into account when importing an additional language into an SAP system? Choose the correct answers. X A After the actual import of the language package, language-dependent texts from Support Packages that have already been imported must also be imported using transaction SMLT. X B The Support Packages that had already been imported into the SAP system at the time of the language import must be completely re-imported using transaction SPAM. X C Languages that are not completely translated require a supplementation language. X D All languages are already available in the database of the SAP system right after installation and transaction SMLT is used to make them known in the system. Correct. After the actual import of the language package, both language-dependent texts from Support Packages that have already been imported must also be imported using transaction SMLT. In addition, languages that are not completely translated require a supplementation language, for example to fill translation gaps. 258 © Copyright. All rights reserved. Unit 6: Learning Assessment - Answers 3. To prepare for the Unicode conversion, the database tables must be prepared in transaction SPUMG and customer developments must be checked in transaction UCCHECK before the conversion. Determine whether this statement is true or false. X True X False Correct. Both steps have to run before the conversion takes place. © Copyright. All rights reserved. 259 Glossary Application Link Enabling Technology for setting up and operating distributed applications. Application Link Enabling (ALE) facilitates the distributed, but integrated, installation of SAP systems. This involves business-driven message exchange using consistent data across loosely linked SAP applications. Applications are integrated using synchronous and asynchronous communication - not by using a central database. ALE consists of the following layers: Application services Distribution services Communication services Central System In the case of systems linked with ALE, you differentiate between the system in which the distribution model of the data is managed, and the linked (managed) systems. The managing system is called the central system, and the linked systems are called child systems. Central User Administration The management of users in a central system. A SAP system group consists of multiple SAP systems with multiple clients. The same users are often created and the same roles assigned in each client. Central is designed to perform these tasks in a central system and distribute the data to the systems in the SAP system group. Data container with a particular format used for exchanging data between SAP systems, and also for exchanging data container data with non-SAP systems. These data packages are sent by RFC. IDocs are primarily used for exchanging data in an ALE integrated system. Internet Communication Framework Environment for handling Web requests in ABAP work processes of an SAP system (in its role as a Web server and a Web client) The ICF is the bridge between the kernel of the SAP system and the application program written in ABAP. The ICF consists of ABAP classes and interfaces, the objects and methods of which can be accessed in a Web Dynpro ABAP application, for example. Internet Communication Manager Component of the SAP architecture that allows the ABAP based SAP system to communicate directly with the internet. Technically, the ICM is a standalone multi-threaded process that is started and monitored by the ABAP dispatcher. Internet Server Cache A tool developed by SAP for software test automation. Cache for response pages of the ICM. This stores pages before they are sent to the client. The next time that the relevant URL is called, as long as the expiry time has not elapsed, the page is sent back to the client directly from the ICM; in this case, it does not need to be branched to the task handler and the ICF. Enqueue Replication Server Local Version Component of Application Server ABAP that replicates the lock table to prevent losing it if the Standalone Enqueue Server fails. This ensures high availability for the Standalone Enqueue Server. The Replication Server runs on the ERS instance. A business function subject to legal requirements of an individual country / region, can be part of the standard SAP system or available as add-on. eCATT Globalization The combination of internationalization and localization, which results in a product that is suitable for use in different parts of the world. ICF Recorder Tool for recording and evaluating HTTP requests to the ICF. ICF Service Links a certain URL (requested service of an SAP system with AS ABAP) to an HTTP request handler of the ICF (development objects). OData Standard that defines a set of best practices for building and consuming RESTful APIs. SAP Gateway A technology framework enabling exposure and simplified access to SAP software from any device or environment using standard, open protocols. It opens data and processes running on SAP applications for software developers to create apps in different environments and devices to engage many more business consumers. Formerly called SAP NetWeaver Gateway. SAP Web Dispatcher IDoc (Intermediate Document) 260 © Copyright. All rights reserved. SAP solution for load distribution for HTTP(S) requests. If an SAP system consists of multiple instances, the SAP Web Dispatcher receives the requests from the browser and forwards them to the application server that currently has most capacity. This simplifies administration since there is only one entry point (IP address, HTTP(S) port, and so on) to the SAP system. SAPconnect Interface for integrating external communications with the SAP system. SAPconnect enables thirdparty vendors to connect their communication servers to the SAP system. Among others, SAPconnect allows you to use the communication method STMP in the SAP system. SAPUI5 UI development toolkit for HTML5 that supports application developers in creating fast and easy applications based on HTML5 and JavaScript. Cryptographic protocol designed to provide communications security over a computer network, successor of Secure Socket Layer (SSL). Unicode A 16-bit character set that represents commonly used characters, for example letters and digits, in digital form. Unicode has a distinct advantage over the 8-bit character set ASCII, in that it can render a much larger set of characters. For example, Unicode can represent over 30,000 distinct coded characters, whereas ASCII can only represent 128. Web Service that defines a set of best practices for building and consuming RESTful APIs. WSDL XML-based interface description language that is used for describing the functionality offered by a Web service. Simple Mail Transfer Protocol (SMTP) Standard for exchanging e-mails between servers in the network. Mail clients use SMTP to send emails to a server, but not to receive e-mails. Standalone Enqueue Server 2 Successor to the Standalone Server that also provides the SAP lock concept in order to manage simultaneous access to shared data. It is implemented as part of a high availability solution in AS ABAP. Together with the Message Server, the Standalone Server runs on the ASCS instance. System Data Container The system landscape data of the system under test is stored in the system data container SDC. SDC lists the target systems and RFCs that are used during creation and execution of test cases. SDC is in the SAR file downloaded from SAP Service Marketplace, and is stored in the customer system automatically. Test Script Used to control the individual steps of an eCATT test run. It consists of special commands from the eCATT command set, however it can also contain other elements, such as ABAP source code sequences. Transport Layer Security © Copyright. All rights reserved. 261

ADM103 EN Col23

Related documents

Products

Support

ADM103 EN Col23

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib