JAVA Stack

1. Architecture 2. Configuration 2a. Visual Administrator 2b.Config Tool 2c.NWA 3. Stop & Start . !onitoring ". Administration #. $ser Administration

Architecture: 1. %nl& 'AVA Stac() The follo*ing components are part of a 'a+a instance) 1. The 'a+a dispatcher distributes the client re,uests to the free ser+er processes of the instance 2. The ser+er processes pro+ide the infrastructure in *hich the '2-- applications run. 3. The Central Ser+ices form a special 'a+a instance. The& pro+ide the basis of communication and s&nchroni.ation *ithin a 'a+a cluster. The Central Ser+ices pro+ide the basis for communication and s&nchroni.ation for the 'a+a cluster) . The message ser+ice administers a list of the dispatchers and the ser+er processes of the 'a+a cluster. /t represents the infrastructure of data e0change 1for small ,uantities of data2 bet*een the nodes in+ol+ed. /n the case of load balancing bet*een a large number of 'a+a instances3 it also pro+ides the load balancing information for the SA4 Web 5ispatcher. . The en,ueue ser+ice administers logical loc(s that are set in a ser+er process b& the e0ecuted application program. /t is also used for cluster6*ide s&nchroni.ation. 4. 5uring its /nstallation3 the Soft*are 5eplo&ment !anager is also installed.

2. 5ual Stac() 1A7A4 8 'AVA2 The indi+idual components and their tas(s are briefl& presented in the follo*ing) . The /nternet Communication !anager 1/C!2 creates contact *ith the /nternet. /t can process both ser+er and client Web re,uests. /t supports the protocols 9TT43 9TT4S3 and S!T4. SA4 Web AS can act either as a Web ser+er or as a Web client. . The A7A4 dispatcher distributes the re,uests to the *or( processes. /f all processes are occupied3 the re,uests are stored in the dispatcher ,ueue. . The A7A4 *or( processes e0ecute the A7A4 code. . The message ser+er is used to e0change messages and to balance load in the SA4 s&stem. . /n the 'a+a part of SA4 Web AS3 there are the components 'a+a dispatcher3 ser+er process3 and Soft*are 5eplo&ment !anager 1S5!2 as *ell as the Central Ser+ices.

Note) The A7A4 & 'AVA Stac( communicates *ith 'Co 1'a+a Connector2 :;C

Administration and configuration tools of SA4 Web As <a+a The ;ollo*ing Tools are use for administration & Configuration of 'a+a Stac() 1. Visual Admin 2. Config Tool 3. NWA 1Net*ea+er Administrator2 $sage Areas of the Tools) Tool Visual Admin 4rere,uisites 7oth 5atabase & 'a+a must be running $se 1.Configuration %f Ser+ices & !anagers 2. :emote Configuration 3.Starting & Special ;eatures 1. We can ma(e d&namic changes to fe* selected ser+ices .

Stopping of the ser+ices .Stopping the 'a+a /nstance 1.'AVA V! Configuration 2.Configuration %f Ser+ices & !anagers

Config Tools

The 5atabase must be running

1.:estart of SA4 'AVA WAS so that Changes Ta(es Affect 2. No userid=pass*ord re,uired 3.>ocal administration

9o* to Connect to the Tool) 1. Visual Administrator 1. The Visual Administrator is started *ith the call go. bat at %perating s&stem le+el. 2. The go. bat file is stored under the follo*ing path at %perating s&stem le+el) \usr\sap\<SID>\<central instance>\j2ee\admin 32 5ouble6clic( the file go.bat. 2 The Visual Administrator starts and displa&s a *indo* *ith the name Connect to SAP J2EE Engine. Creating Ne* -ntr& for connecting to &our SA4 Web AS 'a+a. 12 Choose the e! button3 and enter the name of &our SA4 Web AS in the Displa" ame field in the ne* *indo*. 2 2Select Direct Connection to Dispatc#er ode and choose the Ne0t 7utton. 32 /n the $ser ame field3 enter &our 'a+a user 1such as 'A5!?@@2. 2 /n the %ost field3 enter .local host.. "2 /n the Port field3 enter ."AAA . if &our SA4 Web AS is called .5-V. And ."1AA . if &our SA4 Web AS is called .BAS.. #2 Sa+e &our settings. . >og on to &our SA4 Web AS 'a+a *ith the ne*l& created entr&. a2 Select &our entr&3 choose connect3 enter &our pass*ord3 then choose Connect again3 and change &our pass*ord.

2. Config Tool 1. The Config Tool is started *ith the call con&igtool.bat at operating s&stem le+el of 2. The file con&igtool.bat is stored under the follo*ing path at operating s&stem le+el) \usr\sap\<SID>\<Central Instance>\j2ee\con&igtool. 3. No user or pass*ords are re,uired to call the Config Tool. . Cou must still confirm *hether &ou *ant to use the default database settings %r *hether &ou *ant to change them.

. The Config Tool is a+ailable to &ou to edit

9o* to configure the parameter through the Tools) 1. Visual Administrator) There are t*o different +ie*s in the Visual Administrator) The +ie* for global Configuration and the +ie* for local configuration3 1also called as cluster Configuration2

;igure .Dlobal +s. >ocal Configuration. 5ifference bet*een Dlobal & >ocal configuration) Through Dlobal +ie* *e can maintain the +alue of parameter for all acti+e nodes 1dispatcher & ser+er process2 *hile through >ocal +ie* *e can maintain the +alue of parameter for an indi+idual node.

2. Config Tool) !emor& !anagement of the 'a+a Stac()

Configuration of the 'a+a V! Settings *ith the Config Tool The settings for the Virtual !achine 1V!2 are maintained *ith the Config Tool. The *indo* on the left in the Config Tool displa&s the structure of the cluster in .global settings. And in settings for the indi+idual cluster elements. The cluster -lements are al*a&s assigned to an instance *ith an instance number. This instance Number is also contained in the name of the dispatcher or ser+er processes. See Also the figure .Windo* Sections in the Config Tool.. The follo*ing is useful As an orientation aid) if

there is no instance number ne0t to the dispatcher or Ser+er3 &ou are in the global settings. The parameters of the selected elements are 5ispla&ed and maintained in the *indo* on the right of the Config Tool. Caution) We can onl& use the Config Tool to change parameters if all /nstances of a SA4 Web AS 'a+a are stopped. Windo*s Section in the Config tool

!aintain the V! Settings b& selecting a dispatcher or ser+er node of the /nstance in the *indo* of the left of the Config Tool.

The V! parameters *ith Their settings then appear in the *indo* on the right. The runtime parameters are %n the 'eneral tab page. See also the figure .V! Settings.. The (ootstrap tab 4age contains the settings for the start process. The parameter Ja)a %ome sets Where in the file s&stem the S5E resides. Cou can also change the parameter

*a+ #eap si,e *ith the arro* (e&s. !a0 heap si.e is referred to in SA4 Notes or The Sun documentation as.6Fm0.. The other 'a+a parameters illustrated in the ;igure .V! Settings. Are familiar from the pre+ious section. Cou can edit or 5elete them in the Config Tool. Cou can also add additional parameters3 such as .6FF) !a04ermSi.eG12Hm. 9ere. After &ou ha+e completed &our maintenance Wor(3 &ou must sa+e the settings in the database b& choosing Appl" c#anges. When the SA4 Web AS 'a+a instance is restarted3 it is started *ith the ne* +alues.

!aintaining other 4arameters *ith Config Tool) We can also maintain parameters of dispatcher ser+ice & ser+er process through config tool. We can maintain them both globall& as *ell as through >ocal settings. SA4 Net Wea+er Administrator SA4 Net Wea+er Administrator 1SA4 NWA2 is a ne* tool for administration and monitoring. The SA4 NWA combines the most important administration and monitoring tools for 'a+a and A7A4 s&stems in a ne*3 bro*ser6bases user /nterface. Cou can start the SA4 NWA using the follo*ing $:>) http)==Iser+erJ.Ido6 mainJ)I portJ=n*a such as http)==4AAA.*df.sap.corp)"AAAA=n*a. SA4 Net Wea+er Administrator

The SA4 NWA distinguishes itself b& the follo*ing features) . Tool for administration . Starting and stopping s&stems3 instances3 ser+ices3 applications . $ser administration . Tool for technical configuration . Tool for monitoring . !onitoring 1also detailed anal&sis2 . >og information displa& . Tool for s&stem anal&sis . 4erformance anal&sis . Application trace and performance trace . Centrali.ation . -0tensibilit& Centrali.ation means that the SA4 NWA pro+ides a central o+er+ie* of all s&stems in the landscape 1A7A4 and 'a+a2 and the entire landscape can be managed. Cou no longer need to s*itch bet*een different tools for the administration3 troubleshooting and problem anal&sis of &our entire SA4 NetWea+er s&stem landscape. The current +ersion of the SA4 NWA does not allo* the administration of A7A4 s&stems. The monitoring functions can be used for A7A4 and 'a+a s&stems. /n the future3 the SA4 NWA *ill be e0tended *ith other NetWea+er components. The interface allo*s for the seamless na+igation to other SA4 NetWea+er administration tools 1$ser !anagement -ngine3 also S&stem >andscape 5irector& and Adapti+e Computing in the future2. The Administration area displa&s the t&pical management tas(s for an administrator3 such as starting3 stopping3 configuration of the s&stem selection and user administration.

/n the !onitoring area3 &ou ha+e an o+er+ie* of the a+ailabilit& of the selected S&stems. The Alert 7ro*ser displa&s the current alerts. /n addition3 certain monitoring collections from the Computing Center !anagement S&stem 1CC!S2 of SA4 Web AS A7A4 s&stems are a+ailable in the central reports. The 'a+a s&stem report is a summar& of performance data. /n addition to the log configuration3 mainl& s&stem and landscape setup tas(s are ta(en care of in the Configuration area. This includes the creation of +irtual hosts and the creation=changing of logon groups. The settings such as V! and ser+ices parameters can be +erified as *ell. The listed functions of the SA4 NWA *ill be e0amined in more detail in the follo*ing lessons. SA4 NWA Architecture The SA4 NWA can be used locall& for a s&stem as *ell as in a central scenario.

>ocal scenario is mainl& used b& customers *ith +er& small landscapes or for 5e+eloper installations 1SA4 NetWea+er 5e+eloper Wor(place2. The SA4 NWA is a part of the SA4 NetWea+er installation and can be used to administer the >ocal s&stem3 on *hich it is running. Central scenario3 the same tool is used as for the local scenario. The SA4 NWA is integrated in the central management infrastructure3 to *hich the S&stem >andscape 5irector& 1S>52 and the monitoring infrastructure in the CC!S also belong. The S>5 administers s&stem landscape information. The structure of a Central SA4 NWA *ill be described in a follo*ing lesson. Cou can choose bet*een both scenarios *hen &ou start the SA4 NWA. The SA4 NetWea+er Administrator 1SA4 NWA2 pro+ides &ou *ith the central ;unctions for administration3 configuration and monitoring. Administration in the SA4 NWA

The status of all instances on the selected s&stems 1local or remote s&stems2 is displa&ed under S&stem. The +ersion and detailed information such as instance and ser+er names can be seen for these instances. The operating s&stem and 'a+a 4rocesses are sho*n in the detailed data of a selected instance. Cou can also Start and stop here and choose the 5ebug option. All a+ailable ser+ices and their 5ependencies are listed and can be acti+ated or deacti+ated. /f &ou ha+e connected remote s&stems to the SA4 NWA3 &ou can define a s&stem Selection in the S&stem area and then use it to obtain for this s&stem selection the monitoring data. Cou can e0ecute the start and start function for applications on the selected S&stems in the applications area. The status3 module3 references and resources are displa&ed for each deplo&ed application. Cou can find the duration and time of 5eplo&ment and the archi+e si.e in the a+ailable detailed data3 for e0ample. ;or the SA4 Web AS 'a+a3 the $ser !anagement -ngine 1$!-2 application is deli+ered3 *hich is responsible for user administration. This application is embedded in the SA4 NWA and pro+ides functions for the central administration of users3 groups3 and roles. /n the $!- &ou *ill also find roles that are deli+ered to the SA4 NWA that &ou can assign to certain users. SA4 NWA :oles and Authori.ations The follo*ing authori.ations e0ist for the SA4 NWA) . SA4?'AVA?NWA5!/N?>%CA> . SA4?'AVA?NWA5!/N?>%CA>?:-A5%N>C . SA4?'AVA?NWA5!/N?C-NT:A> . SA4?'AVA?NWA5!/N?C-NT:A>?:-A5%N>C The local roles allo* &ou to administer the local s&stem on *hich the SA4

NetWea+er Administrator is started. The central roles are for administering the entire landscape that is a+ailable +ia the S>5. The read-onl" role does not allo* an& changes such as starting=stopping or a configuration change on the S&stem to be administered. Cou can assign roles *ith the SA4 NWA in the $ser Administration area. Configuration in the SA4 NWA /n the SA4 NWA S"stem *anagement area3 &ou can also perform configuration Steps for the SA4 Web AS 'a+a. Configuration functions for the follo*ing areas are a+ailable) . Application modules . Application resources . Virtual hosts . >ogon groups . S&stem parameters . >og configuration. The details for a deplo&ed application and the different modules *hich it consists of can be +ie*ed and changed under Application !odule. ;or e0ample3 &ou can Change the coo(ie configuration or the *elcome=error page for a *eb module. /n the Application :esources area3 &ou can allo* an application to access e0ternal resources. Application resources can be created b& the user3 deleted3 or Configured. Cou can perform the follo*ing actions) . Administer '57C 5ata Sources . Administer '57C 5ata Source Aliases . 5ispla& resource adapter configuration . Change !anaged Connection ;actories . Administer '!S6related application resources . Administer '!S Connection ;actor& references Ne* +irtual hosts or aliases can be created in the Virtual 9osts area. Settings can also be made for +irtual hosts. Settings for logon load balancing can be made in the >ogon Droups configuration area that influence the performance and s&stem resources. -+er& SA4 application has different resource re,uirements so logon groups can be created and configured for certain applications. $sing logon groups3 &ou can define the instance on *hich a certain application should be used3 such as one that is especiall& C4$ intensi+e. A client re,uest is for*arded to the right instance *ith the logon groups using the SA4 Web 5ispatcher or load balancer from third parties. /f &ou use logon groups for load balancing3 then &ou must enter the logon group that &ou *ant to use for this application in the $:> *hen calling the application. We can perform the log configuration in the SA4 NWA Configure the se+erities 1le+el of detail for the information in the log=trace files2 . Configure the destination 1storage location of the log files2 . Create categories and locations. The SA4 NWA displa&s the follo*ing functions in the !onitoring area) . A+ailabilit& !onitoring . Central :eport . 'a+a S&stem :eport . >og and Traces The !onitoring area loo(s li(e this in the SA4 NWA)

The a+ailabilit& is displa&ed for all selected s&stems and instances. The number of acti+e users and the a+erage response time in the A7A4 s&stem are displa&ed in the detail +ie*. The central report allo*s &ou to see all monitors of the selected A7A4 and 'a+a S&stems. The currentl& collected monitoring data and the alerts that ha+e occurred Can be displa&ed. /n both +ie*s3 the functions Configuration 5etails3 9istor& and Alert 7ro*ser 1Complete Alert3 Alert 9istor&2 are a+ailable. Cou can also see the threshold +alues and methods that ha+e been set. 9int) To displa& this data in the SA4 NWA3 &ou must enter the connection 5ata for the central monitoring s&stem in the Visual Administrator of the appropriate s&stem. /n the 'a+a S&stem :eport3 resource usage and error statistics for a certain period can be displa&ed The 'a+a S&stem :eport is uses to ma(e comparisons and displa& them graphicall& or in a table. Additionall&3 other reports pro+ide an o+er+ie* of re,uests3 components3 acti+ities in threads and user acti+ities based on 'a+a Application :esponse time !easurement 1'A:!2. Cou can find a tool in the >og and Traces area that pro+ides a predefined +ie* of the last 2 hours of alerts and SA4 log files. Cou can personali.e the +ie*. Cou can also *or( in the alert +ie* *ith the search and filter functions to find the desired data faster. !ore information about connecting the SA4 NW and about other monitoring functions can be found in the chapter .!onitoring the SA4 Web AS 'a+a.. S&stem Anal&sis in the SA4 NWA /n the SA4 NWA3 the follo*ing functions are integrated in the S"stem Anal"sis area that allo* &ou to obtain an o+er+ie* of the performance in the s&stem and to use the 4erformance Anal&sis Tool) . Tools for performance measurement) . Application 4rofiler 1Application Trace2 . Acti+it& Trace . 'a+a Configuration 7ro*ser 1'2-- Config 7ro*ser2 . >og Vie*er=log configuration for debug information.

The Application 4rofiler is used to measure and e+aluate the performance of an application during the de+elopment or test phase in milliseconds. /t is a po*erful tool for on6the6fl& debugging actions for a 'a+a application. $sing the b&te code modification3 the Application 4rofiler can measure the time used b& a method for a user re,uest. Cou do not need to redeplo& the application3 restarting it is enough. $sing the Acti+it& Trace3 a user re,uest can be recorded and performance 4roblems for the components3 net*or( and database can be determined. $sing the '2-- Config 7ro*ser 1corresponds to the Editor *ode in the local Config Tool or the Con&iguration Adapter ser+ice in the Visual Administrator23 &ou can displa& all configuration information and propert& sheets of an SA4 Web AS 'a+a. /n the SA4Web AS3 there is an SA4 logging A4/ that allo*s &ou to *rite traces and log files. The traces and log files can be displa&ed in the >og Vie*er and Configured in the >og Configurator. 4roblem messages for applications such as 4erformance problems are stored in traces. Configuration of the Central Scenario The configuration of a central scenario essentiall& in+ol+es four steps) Configure and acti+ate the S>5 Connect the SA4 NWA to the S>5 Connect the remote s&stems to the S>5 Store the access data in the SA4 NWA Configuration Steps) Connecting the SA4 NWA to the Central !onitoring S&stem 1C-N2

The follo*ing steps are re,uired to use the SA4 NWA in the !onitoring area) . 4reparation . Configure and acti+ate the S>5 . Connect the s&stems to be monitored=administered to the S>5 . Create users and assign SA4 NWA roles . Create connection bet*een the SA4 NWA and the S>5 . Store access data for the remote s&stems in the SA4 NWA . Configuration) SA4 NWA . C-N . :egister the s&stems that are to be monitored on the C-N 1 A(AP . /0213 JA2A . Agent2 . Create the connection bet*een the S>5 and C-N . Create the connection bet*een the SA4 NWA and the C-N Connection bet*een the SA4 NWA3 C-N and the S>5 The connection bet*een the SA4 NWA and the S>5 re,uires &ou to acti+ate the S>5 5ata Supplier in the SA4 NWA and to enter the re,uired authori.ations 1see the lesson SAP 3A4 Structure o& a Central Scenario2. Additionall&3 a connection from the SA4 NWA to the A7A4 area of the C-N *ill be created.

The SA4 NetWea+er Administrator 1SA4 NWA2 is a central tool for monitoring SA4 Web AS6based s&stems. The follo*ing monitoring functions are a+ailable to &ou in the SA4 NWA) . 'a+a S&stem :eport . >ogs and Traces . A+ailabilit& !onitoring . Central :eport /

Start & Stop of 'AVA Stac() 1. 'AVA STACE) The start and stop processes can be initiated using appropriate operating s&stem commands 6 such as startsap under $N/F or the !icrosoft !anagement Console under !icrosoft Windo*s. The commands are for*arded directl& to the Startup and Control 5rame!or6. The Startup and Control ;rame*or( is the infrastructure that SA4 pro+ides for starting and stopping 'a+a instances. Startup and Control ;rame*or(

SA4 pro+ides a separate Startup and Control 5rame!or6 for SA4 Web Application Ser+er 'a+a. This ;rame*or( is used to start3 stop3 and monitor 'a+a instances 6 but not3 ho*e+er3 the Central Ser+ices. /t consists of the follo*ing processes 'Control) 'Control starts3 stops3 and monitors the processes of a 'a+a instance . primaril& the ser+er and dispatcher processes. SA4 Signal 9andling is implemented *ith 'Control3 to for*ard the start and stop commands to a 'a+a instance. '>aunch) . '>aunch recei+es commands from the 'Control process 1through named pipes2 to stop 'a+a node elements such as dispatchers or ser+ers. . The '>aunch process ends itself if its parent process 'Control is no longer running. . '>aunch loads a 'V! in a separate process. The parameteri.ing of the 'V! is imported before the loading. 2. 5ual Stac( 1A7A48 'AVA2) /n 5ual Stac( the 'a+a instances are controlled b& the dispatcher of the A7A4 instance. So the start and stop processes are triggered b& the A7A4 dispatcher. The A7A4 dispatcher uses a signal to run a start = stop command on the Startup and Control 5rame!or6. The corresponding 'a+a cluster elements are started = stoped using the Startup and Control 5rame!or6. %ption 1 ) Through SA4 >e+el) 1 S!/C!2 Stop the 'a+a /nstance using S!/C!. Start <a+a /nstance b& S!/C! %ption 2 ) Through %S >e+el) We can stop through 'C!%N Starting Se,uence of an SA4 S&stem 1 A7A4 8 'AVA Stac(2

!onitoring & Administration)

1. >ogs for Troubleshooting the 'a+a Stac( /ssue) 1. defaultTrace in =usr=sap=-CA=5V-7!DS2A=<2ee=cluster=ser+erA=log 2. de+?<control in *or( 5ir =usr=sap=-CA=5V-7!DS2A=*or( 2. A+ailabilit& of the s&stem ) '2--C%NN-CT Significance of this alert) !a& be s&stem not a+ailable :eason) a2 S&stem is do*n b2 S&stem ma& be bus& *ith full load and ne* connections are not possible c2 SA4 home director& is full not able *rite ne* logs :eaction) a2 using 'C!%N chec( the status of 'a+a process . b2 %pen the /nde0 page http )== I hostnameJ)Ihttp portJ Note) n most of the cases the 'C!%N process *ill be in running status but the inde0 page *ill ta(e long time to open 3 *hich means that the 'AVA /nstance is hanged. /n &this scenario *e ha+e to restart the ser+er process 1 %nl& on -ducation & Bualit& s&stem2. ;or production s&stem *e ha+e to ta(e permission from S&stem responsible. c2 We can also chec( the logs 5efualt trace 3 5e+?<control3 de+?<cmon3 default.trc3<+m?out3bootstrap3 under *or( director& b2 :estart ser+er process +ia <cmon c2 Chec( file s&stems li(e 1:elated all SA4 director&2 command) df K( /f itLs full remo+e core files3 heap dums3 <a+a core files3 old logs =usr=sap=S/5

$ser !anagement -ngine /ntroduction) 1. The $ser administration in 'a+a stac( is done *ith the help of $!-. 2. The $!- is also (no*n as M$ser StoreL for '2-- en+ironment. 5ata Source) 1. The $!- itself is onl& an infrastructure for storing user data. The user storage locations of the $!are called data sources. 2. 5ata sources can be

1 .5irector& ser+ices3 2. 5atabases3 or the 3. A7A4 user management in SA4 Web AS. The data source is defined during the /nstallation. The $!- pro+ides the option of reading user data from different data Sources or *riting to different data targets. 9int) Cou should decide on an appropriate data source before=during the /nstallation3 since although it is possible to change the data source3 it is not recommended3 or not possible to perform in some cases.

3. We can use the Config Tool to see the acti+e 5ata source

$ser Administration Tools) /n 'a+a stac( *e ha+e the follo*ing tools for user administration) 1. $!- Console. 2. Visual Administrator 3. Config Tool

$!- Console The $!- pro+ides a bro*ser6based administration interface. Cou can access this from the home page of the SA4 Web Application Ser+er 'a+a 1http )==Iser+er NameJ)IportJ=useradmin3 such as http)==4123 ")"AAAA=useradmin2. The $!Console is also integrated into the SA4 NetWea+er Administrator 1http )==I ser+er NameJ )I 4ortJ=n*a Administration . $ser 7 Access2. The $!- console *ill be %pened in a separate *indo* *hen called in the SA4 NetWea+er Administrator. Cou can perform the follo*ing actions there) . Administration of users . Administration of groups . Administration of roles . !anual replication . /mport=e0port of users3 groups3 roles Cou can al*a&s use the $!- console for user administration and assigning Authori.ations if the $!- uses a director& ser+ice or a database as the data source. /f &ou ha+e selected A7A4 user management as the data source for the $!-3 $sers can onl& be administered using the rele+ant transactions in the SA4 A7A4 S&stem. /n this case 1data source) A7A4 management23 &ou can onl& assign 'a+a Authori.ations using the $!- console or the Visual Administrator.

$!- Console $!- Console The $!- pro+ides a bro*ser6based administration interface. Cou can access this from the home page of the SA4 Web Application Ser+er 'a+a 1http)==Iser+er nameJ)IportJ=useradmin3 such as http)==4123 ")"AAAA=useradmin2. The $!console is also integrated into the SA4 NetWea+er Administrator 1http)==Iser+er nameJ)I4ortJ=n*a Administration . $ser 7 Access2. The $!- console *ill be opened in a separate *indo* *hen called in the SA4 NetWea+er Administrator.

Cou can perform the follo*ing actions there) . Administration of users . Administration of groups . Administration of roles . !anual replication . /mport=e0port of users3 groups3 roles Cou can al*a&s use the $!- console for user administration and assigning authori.ations if the $!- uses a director& ser+ice or a database as the data source. /f &ou ha+e selected A7A4 user management as the data source for the $!-3 users can onl& be administered using the rele+ant transactions in the SA4 A7A4 s&stem. /n this case 1data source) A7A4 management23 &ou can onl& assign 'a+a authori.ations using the $!- console or the Visual Administrator.

Visual Administrator The Visual Administrator pro+ides similar functions to the $!- console in the area of user administration. /f user data is not stored in the $!-3 but rather in the user store database3 &ou must use the Visual Administrator for user administration and assigning authori.ations. This is onl& rarel& the case3 since the $!- is automaticall& the acti+e user store after an SA4 Web AS 'a+a is installed. Visual Administrator

Config Tool /n the conte0t of user administration3 the Config Tool is used to ad<ust data sources and to maintain specific properties of the $!-. /t is onl& possible to maintain this data in the Con&iguration Editor mode. Cou can change the $!- configuration and propert& files in this mode.

;igure 1" ) Config Tool

$ser Administration Tools and 5ata Source

Config Tool /n the conte0t of user administration3 the Config Tool is used to ad<ust data sources and to maintain specific properties of the $!-. /t is onl& possible to maintain this 5ata in the Con&iguration Editor mode. Cou can change the $!- configuration and propert& files in this mode.

A7A4 $ser !anagement /f the A7A4 user management is set as the acti+e data source3 users are administered using the familiar transactions in SA4 Web AS A7A4. /n this case3 Cou can onl& assign 'a+a authori.ations using the $!- console or the Visual Administrator. The $!- console onl& has read authori.ation in A7A4 user management. 9int) The communication bet*een the $!- and the A7A4 user !anagement is performed *ith the SA4'S; user. After an installation3 This user has the 1A7A42 role SA4?7C?'S;?C%!!$N/CAT/%N?:%3 Which pro+ides read access from the $!- to the A7A4 user. Cou can obtain *rite access b& adding the role SA4?7C?'S;?C%!!$N/CAT/%N. $sers and Droups -ach user has a user profile. This user profile contains attributes such as name3 -6mail address3 and so on3 *hich can be changed. $sers can be assigned to groups. :oles can be assigned to indi+idual users and groups. :oles contain authori.ations. 9int) /f &ou are using SA4 Web AS A7A48'a+a3 the term group has a 5ifferent meaning. 5ata Source and $sing the Tools for $ser=Authori.ation Administration The follo*ing table pro+ides an o+er+ie* of the tools that can be used3 depending %n the acti+e data source of the $!-.

!aintaining $sers /f &ou are using the A7A4 user management as the $!- data source3 the users Are maintained in the corresponding transaction in SA4Web AS A7A4. >og on to The A7A4 user management *ith a user *ith appropriate authori.ations and call Transaction S$81. The actions create9 c#ange: delete: and searc# are a+ailable on the initial screen. ;or more detailed information about A7A4 user administration3 attend courses in the curriculum on Administration of an SA4 Web AS 1A7A42. We al*a&s use the $!- console for user administration if a director& ser+ice or a database has been selected as the data source. >og on using the $:> http).==Iser+erJ)IportJ=useradmin 1such as http)==4123 ")"AAAA=useradmin2. -nter the administration user *ith the corresponding pass*ord as the user. The Administration user for SA4 Web AS *ith A7A4 and 'a+a is called <2ee?admin3 for SA4 Web AS 'a+a 1$!- uses A7A4 user administration23 the user is called '2--?A5!?IS/5J and for SA4 Web AS 'a+a 1$!- uses a database or 5irector& ser+ice for user administration23 the user is called Administrator.

The Visual Administrator is another option for maintaining users. Cou can use the Visual Administrator for user administration if the $!- uses a director& Ser+ice or a database as the data source. Cou call the Visual Administrator b& Starting go.bat from the director& \usr\sap\<SID>\<instance>\j2ee\admin. >og on as the administration user *ith the corresponding pass*ord. Na+igate to the Securit" Pro)ider ser+ice of the ser+er and3 in the /untime tab page3 choose the Sub tab page $ser *anagement 1Ser)er . Ser)ices . Securit" Pro)ider . /untime . $ser *anagement2. Visual Administrator) $ser Administration

Creating3 5eleting3 and Changing Droups There are t*o *a&s to create groups. The user groups are used to assign a role to a large number of users and therefore to gi+e these users the Same authori.ations. Cou can use either the Visual Administrator or the $!Console to administer groups. When &ou ma(e changes to a group3 the changes Are +isible in both tools 1Visual Administrator and $!- console23 since the user 5ata is stored in the same data source. We can use the $!- console to create3 delete3 change3 and displa& groups. Cou can also e0port and import user groups. /t is possible to assign users to Droups3 and also to assign groups to other groups. >og on using the $:> http)==Iser+erJ)IportJ=useradmin 1such as http)==4123 ")"AAAA=useradmin2 and choose the $ser *anagement lin(. -nter the administration user *ith the Corresponding pass*ord as the user.

We can use the Visual Administrator to administer groups if the $!- uses a 5irector& ser+ice or a database as the data source. Cou call the Visual Administrator b& starting go.bat from the director& \usr\sap\<SID>\<instance>\j2ee\admin. >og on as the administration user *ith the corresponding pass*ord. Na+igate to the Securit" Pro)ider ser+ice of the ser+er and3 in the /untime tab page3 choose The sub tab page $ser *anagement 1Ser)er . Ser)ices . Securit" Pro)ider . /untime . $ser *anagement2.

Droups in the $!- are used to combine users into groups and to assign all of These the same authori.ations 1roles2. This statement applies for all data source Configuration files *ith the e0ception of dataSourceConfiguration?r3?roles?db.0ml and dataSourceConfiguration?abap.0ml. 4;CD roles are +isible in the $!- as groups and the .4;CD user role.

assignments are displa&ed as .user group. assignments in the $!-. -0isting groups can not be changed *ith the 'a+a user administration tools. /f ne* groups are created *ith the 'a+a user administration tools3 the& are stored locall& in the 'a+a database. The reason for this group administration concept is the shared authori.ation administration for applications that ha+e both A7A4 and '2-components. Applications such as SA4 -0change /nfrastructure3 for e0ample3 ha+e both A7A4 and '2-- components. The A7A4 authori.ations are mapped *ith 4;CD roles. The '2-- authori.ations are mapped *ith $!- roles. A user must be assigned a 4;CD role in the A7A4 s&stem and a $!- role on the '2-side for the user to ha+e both A7A4 and 'a+a authori.ations. To a+oid this3 the 4;CD roles are +isible as groups in the $!-. The 4;CD role 1a group2 can be Assigned a $!- role in the $!-. /f a user is assigned the 4;CD role in the A7A4 S&stem3 he or she automaticall& also recei+es the authori.ations from the $!:ole. Assigning authori.ations therefore becomes simpler. Droups

$sers and Authori.ations in SA4 Web AS 'a+a Cou can use authori.ations to control *hich users can access a 'a+a applications3 and *hich users are permitted for a user. Authori.ations are combined as roles and then assigned to a user or a user group b& an administrator. The $!- console and Visual Administrator tools are used to assign authori.ations. Authori.ation chec(s are built into a 'a+a application. There are the follo*ing different t&pes of authori.ation chec(s) . '2-- Securit& :oles . $!-roles Caution) As a matter of principle3 $!- roles can onl& be administered using the $!- console3 and '2-- securit& roles can %nl& be administered using the Visual Administrator. With both t&pes of authori.ation chec(3 the de+eloper needs to define the authori.ations ,uer& in the application. The de+eloper decides *hich t&pe of

authori.ation chec( is to be used. This means in practice that *hether '2-Securit& roles or $!- roles are used depends on the application. '2-- securit& roles are part of the '2-- standard. $!- roles are an 1SA42 e0tension of the '2-- securit& roles. Cou can define the same authori.ation Chec(s *ith '2-- securit& roles and $!- roles. 9o*e+er3 it is easier to assign Authori.ations *ith $!- roles. A '2-- securit& role comprises one ob<ect and $!- roles man& authori.ation ob<ects 1(no*n as actions2. This means that man& '2-- securit& roles but perhaps onl& one $!- role need to be assigned for the same authori.ations. We recommend that &ou al*a&s use $!- roles3 e0cept in Cases in *hich '2-- securit& roles are sufficient. Note) A role in the A7A4 en+ironment is roughl& e,ui+alent to a $!- role '2-- Securit& :oles '2-- securit& roles are part of the '2-- standard. A securit& role is an abstract logical definition that protects access to an application3 a ser+ice3 or another resource. The consists of onl& a name and a 5escription. The role relates onl& to the application for *hich it *as defined. '2-- securit& roles allo* an access chec( for '2-- applications. The authori.ations are defined declarati+el&. A de+eloper creates a '2-- securit& role for each ne* application ob<ect. These ob<ects are consolidated during the assembl& process and made a+ailable on the '2-- ser+er. A user can use these %b<ects onl& if the administrator has specified the userNs name in the '2-- role.

Assigning a '2-- Securit& :ole Cou can use the Visual Administrator to assign securit& role to a user. The Securit& 4ro+ider ser+ice of SA4 Web AS 'a+a must be running3 and the user

That *ants to ma(e the assignment must ha+e administration authori.ations. To assign securit& roles3 proceed as follo*s) 1. Start the Visual Administrator 1\usr\sap\<SID>\<instance>\j2ee\admin\go.bat2. 2. Na+igate to Ser)er . Ser)ices . Securit" Pro)ider . runtime . Polic" Con&igurations. 3. /n the Components area3 select the application 1or ser+ice2. . Choose the Securit" /oles tab page. ". /n the *appings area3 select a user=group. #. /n the Securit" /oles area3 select the securit& role that &ou *ant to assign to $sers or groups. O. Add the users=groups using Add.

/n the $!-3 there is a role concept *ith *hich authori.ations are assigned. These authori.ations relate to authori.ation chec(s that are defined in the coding of the SA4 application. The authori.ation concept in the $!- uses permissions3 actions3 and roles. 4ermissions are defined in the 'a+a coding. This is (no*n as programmable Securit&. 4ermissions are used to pro+ide an access control. 4ermissions cannot be assigned directl& to a user. An action is a collection of permissions. A 'a+a application defines its o*n actions and specifies the authori.ations in an F!> file 1Iname of the applicationJ.0mlP Such as .sap.com?TCQ*dQdisp*da.0ml.2. Actions are displa&ed in the $!Console. Cou can use the $!- console to combine these actions into roles. $!- roles group actions of one or more applications. Cou can assign $!- roles to users in the $!- console. SA4Ns 'a+a applications *or( *ith $!- roles. /f SA4 deli+ers a Web 5&npro Application3 &ou can onl& assign authori.ations using $!- roles. Note) Web 5&npros are a ne* generation of bro*ser6based business

Assigning $!- :oles Cou can maintain the $!- roles using the $!- console 1$:>) 9ttp )I ser+erJ )I portJ=useradmin2. Cou perform both the assignment of actions to roles and the assignment of roles to users or groups there. After logging on *ith an administrator user3 select the appropriate role3 displa& the assigned actions3 and change the role3 if necessar&. Then assign the role to a user or a group.

4roperties) Securit& 4olic& Cou can use $!- properties to set parameters for the length of user /5s and 4ass*ords3 and the characters permitted for a pass*ord. . ume.logon.securit&?polic&. auto?unloc(?time Number of minutes before a user /5 loc(ed due to failed logon attempts is unloc(ed. . ume.logon.securit&?polic&.loc(?after?in+alid?attempts Number of failed logon attempts before a user is loc(ed. . ume.logon.securit&?polic&.cert?logon?re,uired 5efines *hether certificate logon is re,uired. . ume.logon.securit&?polic&.pass*ord?special?char?re,uired 5etermines the minimum number of special characters that a pass*ord must Contain. . ume.logon.securit&?polic&.pass*ord?alpha?numeric?re,uired Specifies the minimum number of numerical and alphabetical characters that a pass*ord must contain. /f the +alue is 3 the pass*ord must consist of characters and letters. . ume.logon.securit&?polic&.pass*ord?e0pire?da&s Number of da&s before the pass*ord e0pires.

. ume.logon.securit&?polic&.pass*ord?ma0?length3 ume.logon.secu6 rit&?polic&.pass*ord?min?length !a0imum or minimum length of the pass*ord. /f the $!- uses the A7A4 $ser management as the data source3 the pass*ord length should not e0ceed The +alue H. . ume.logon.securit&?polic&.useridma0length3 ume.logon.securit&?pol6 ic&.useridminlength !a0imum or minimum length of the user /5. /f the $!- uses the A7A4 $ser management as the data source3 the user /5 length should not e0ceed The +alue 12.