WDEBU7 Workshop Chapter 05 NetWeaver 7.

0 BI Web AS settings
Roland Kramer - SAP Solutions Business Development, SAP EMEA Version: October 2009

SAP AG

Delta 7

Course Overview - 1

SDN users please note the following

The Access of any material in the SAP community network and SAP developer network (SDN) is free of charge with your user login. If you see any occurrence of SAP Note or SAP Hinweis and you want to access this Information, you have to logon to the SAP Marketplace (SMP) Note search which needs an additional login to the SMP. The login to SMP is depended to a valid customer contract and the S-user credentials. Example for such a link: https://service.sap.com/sap/support/notes/

You can also add the Note Number directly at the end of the mentioned URL or go to New Note Search

SAP AG 2003, Setup BI 7, Roland Kramer / 2

SAP AG

Delta 7

Course Overview - 2

Checking the Web Reporting Settings in SPRO

SAP AG 2003, Setup BI 7, Roland Kramer / 3

Additional Notes for the WAS settings and the web Reporting: Note 434918: DNS configuration for BSP Applications on W2K - icm/host_name_full = server.domain.ext - http://server.domain.ext:1080/sap/bc/bsp/sap/it00/default.htm Note 550669: Compressed transfer of BI web Applications Note 561792: Client-sided caching of image/gif files Note 517484: Inactive services in the Internet Communication Framework Note 529793: Missing error text in the Internet Explorer browser Note 622130: Timeout problems in BI web Applications Note 619884: Integration of BSP applications in BI web Applications Note 498936: Log on/password change in web with BI3.0B or higher Note 516884: Anonymous logon with BI 3.0A/B and SAP web App. Server Note 517860: Logging on to BSP applications (Check the Documents in the Append of the Note) Note 434918: DNS configuration for BSP Applications on Windows 2000 Note 616900: BSP FAQ -- Frequently Asked Questions Note 677118: SP31-> Fully Qualified Domain Names Check

SAP AG

Delta 7

Course Overview - 3

Checking the WAS Parameters with RZ10

SAP AG 2003, Setup BI 7, Roland Kramer / 4

Binding Ports Lower Than 1024 on UNIX

With the Internet Communication Manager (ICM) you can bind ports with numbers 0 up to and including 1023 (well known ports) on Unix systems too. The external binding program icmbnd included in the standard delivery is used for this. Usually the ICM itself binds the ports. If you want to use icmbnd to bind configured ports, change the parameter specification for icm/server_port_<xx> in the profile (transaction RZ11). On Unix systems only users with superuser authorizations can bind ports with numbers lower than 1024. For this reason either the ICM process must be provided with these authorizations, or the port must be bound by an external program and then the listen socket transferred to the ICM. To ensure the ICM itself does not attempt to bind the port, you specify an additional option when you are configuring ports with icm/server_port_<xx>: EXTBIND=1 The format of this parameter is: icm/server_port_1 = PROT=HTTP, PORT=8080, TIMEOUT=30, EXTBIND=1 Usually icmbnd is called directly from the ICM, though the program can also be called from external systems to make new ports known to the ICM. icmbnd can also be used to bind ports >= 1024, but then the startup time of the ICM is longer. icmbnd is also available for Windows. As the user <sid>adm can bind any number of ports on this system, there is no need to use the icmbnd here.
SAP AG

Integration

Activating External Binding

Delta 7

Course Overview - 4

Obsolete Parameter icm/plugin_<xx>

Also note that the extension EXTBIND=1 is still valid for Web AS 7.00. So you can bind ports lower than 1024 on UNIX without any restrictions.
SAP AG 2003, Setup BI 7, Roland Kramer / 5

icm/plugin_<xx>

This parameter is used to specify the protocols supported by the ICM. <xx> must be specified in ascending order from 0. A protocol is specified by the name of the protocol (for example, HTTP, HTTPS) and a shared library (plug-in) for the protocol. The plug-in can be associated with the parameter icm/server_port_<xx> at one or several ports

icm/server_port_<xx> Use

You can use this parameter to specify the service/port that is to be used for a protocol. Either the service name or the port number can be specified. You can also determine additional service properties. This is described in the procedure below. A plug-in for the protocol must be specified in the parameter icm/plugin_<xx>, as otherwise the service cannot be started. There cannot be more than one service allocated to a single port. Also, a service cannot be started if another program is using the port or service.

Prerequisites

SAP AG

Delta 7

Course Overview - 5

Checking the ICM Manager with Transaction SMICM

Also see note 308977 for additional errors.

SAP AG 2003, Setup BI 7, Roland Kramer / 6

Monitoring the Status of the ICM Use

The ICM monitor provides various functions for monitoring the status of the ICM and for detecting any possible errors. You can find the functions described here in the Go To menu. To display or reset the trace file dev_icm, choose Go To Trace file or Go To Trace Level. You can also set the trace level here (values can be between 0 and 3; the default is 1). You can also display just the start or the end of the file (the first or last 1000 lines). This is a very useful function for large files. Choose Goto Trace file Display start or Display End. If you want to view the trace file of the external binding program icmbnd, choose Goto Trace file Display Dev_icmbnd. Choose Goto Parameters to display or change the ICM profile parameters. If you choose Change, you can display the RZ11 documentation for every parameter that is executed by placing the cursor on the parameter name and choosing Documentation. The value field is ready for input for those parameters that can be changed dynamically. Note that with dynamic changes, these are lost the next time the instance is started.
Delta 7 Course Overview - 6

Functions

Trace files

Parameters

SAP AG

Checking the Patch Level of the ICM

SAP AG 2003, Setup BI 7, Roland Kramer / 7

The Transaction SMICM (ICM Monitor) is in comparison with SM51 (Instance Overview) and it contain also a work process Overview. The Advantage in the SMICM is that you can restart the ICM without restarting the SAP Instance (no bounce of the system). For the ICM Usage in the web Application Server it in mandatory to update the basis Kernel 7.00 regularly, e.g. the Released Kernel support Stacks. The ICM get his updates together with the Kernel Patches. Please check also the interfere between Kernel and ICM. In the 6.x it happened sometime that Kernel patches produced errors in the web interface.

Additional Notes for Settings/Performance of the integrated ITS:

Note 705013 - Timeout for ICF services based on ITS Note 885580 - Integrated ITS: Configuration Parameters Note 890601 - SAP Integrated ITS updates for NetWeaver 2004s (7.00) Note 901250 - Integrated ITS, mimes cache control: max-age Note 746666 - OutOfMemory due to http response compression Note 910285 - WebAS Java 7.00 SP06 - List of corrections Note 1031733 - Http transmission of XI messages with huge payload fails

SAP AG

Delta 7

Course Overview - 7

Checking the Prerequisites for SSO

See the SAP Help Portal http://help.sap.com for more details

http://help.sap.com/saphelp_nw04/helpdata/en/e1/8e51341a06084de100 00009b38f83b/frameset.htm Architecture of the SAP WAS http://help.sap.com/saphelp_erp2005/helpdata/en/e3/e86878c8204acc85 6d8d5da4a54fa4/frameset.htm Administration When Using Logon Tickets

Set the parameter SECUDIR=/usr/sap/<SID>/<instance>/sec for the user <SID>adm Download the SSO libraries from the SAP Marketplace http://service.sap.com/swdc or http://service.sap.com/tcs Check the SSO configuration with transaction STRUSTSSO2

System PSE and Certification List Go to Menu Environment Display SSF Version Go to Menu Environment SAP Logon Ticket check with RFC destination NONE

SAP AG 2003, Setup BI 7, Roland Kramer / 8

Here on this page you see the Steps to check the SSO configuration for the WAS web reporting for BI. By Default, only HTTP is active you will get a prompt from your web browser as soon you want to log on to your WAS Server with http://server.domain.ext:<port>. The Disadvantage is, that you only get two fields: Username and Passwords. If you want to have additional Functionality like Language field or changing Password you need to enable the SSO configuration on the system. This configuration is also the necessary Pre Requisites to integrate the BI system into the EP 7.0 Portal. Note 888687: BEx Web Java: Analysis of communication/logon problems Note 817529: Checking the SSO configuration Note 838097: Follow-up after installation/upgrade of ERECRUIT 600

Load Balancing with HTTP/HTTPS:

Note 857596 - Message server: Status code for redirect requests Note 932640 - Load balancing using message server through HTTPS

SAP AG

Delta 7

Course Overview - 8

Installing SSO Libraries in the System (Note 662340)

Copy the ticket to folder /usr/sap/<SID>/DVEBMGS<Nr>/sec

Copy the libraries to folder $DIR_EXECUTABLE Make sure the libraries are accessible before restarting the system (chmod 775), otherwise errors will occur with the SSO.
SAP AG 2003, Setup BI 7, Roland Kramer / 9

See also the following Release Notes:

Note 455033 - SAPCRYPTOLIB versions, bugs and fixes Note 817529 - Checking the SSO configuration Note 836367 - SSF PSEs: Setting algorithm and key length Note 1300924 - Central note on WS Security (ABAP 7.00 and later) Note 1058307 - SAPCRYPTOLIB 555pl21: sapgenpse update and fix Note 1115328 - SAPCRYPTOLIB 555pl22: WS-Security & SSL client cert fix Note 1159829 - SAPCRYPTOLIB 555pl24: crypto fix, import_p8, SAP ByD update Note 1357841 - SAPCRYPTOLIB 555pl26: bugfixes and WS-Security update The libraries are available from the SAP service Portal http://service.sap.com/swdc. There are also some updates for the secure library available at the kernel section in the service Portal http://service.sap.com/patches Please note that the files on the UNIX based system needs enough permissions, otherwise the SSO will not be enabled. This is also valid for Windows based systems (no read only permission). If you forgot to change the permission after you restarted the system, you have to stop the SAP system and change the permission before SAP is restarted. You will have no effect when you only restart the ICM service. The SMTP service will be used for various reason like in SEM or in the process chains for BI. It is also used together for the Information Broadcasting, the new feature of BI 3.x and above.
Delta 7 Course Overview - 9

SAP AG

Creating the SSL Tickets with STRUSTSSO2

SAP AG 2003, Setup BI 7, Roland Kramer / 10

Some more Informations about SSL/SSO:

Check the library sapcrypto.<ext> (o, so, sl, dll) if you are using the latest version which you can download from http://service.sap.com/patches. You must use a s-user ID for the download. See notes 508307 and 354819 for details. The library must have 775 or on W2K read permission before restarting SAP. Check for the right parameters in the SAP instance profile (Example Windows): sec/libsapsecu = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll ssl/ssl_lib = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll ssf/ssfapi_lib = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll ssf/name = SAPSECULIB

Check with the transactions: STRUST - Trust Manager STRUSTSSO2 - Trust Manager for Logon Ticket

SAP AG

Delta 7

Course Overview - 10

Import the Server Certificate (Note 510007)

SAP AG 2003, Setup BI 7, Roland Kramer / 11

More Information can be found in the following Notes:

Note 836367: SSF PSEs: Setting algorithm and key length Note 578377: Digital signatures with SAPCRYPTOLIB Note 745103: Problem analyze with HTTPS-Communication Note 817529: Checking the SSO configuration SAP delivers the sso2test.htm BSP application. You can use this application to check whether an SSO2 cookie can be created. Start Transaction SE80 'SYSTEM' BSP application Pages with flow logic Right-click on sso2test.htm Test Follow the instructions on the screen

Configuration check

You can also execute the following JavaScript command from the address bar of your Internet browser to check whether an SSO2 cookie currently exists: javascript:alert(document.cookie); As a result, all current cookies are issued in an alert box. If an SSO2 cookie exists, an entry would have to exist that begins with 'MYSAPSSO2=....'
Delta 7 Course Overview - 11

SAP AG

Check with Settings from Note 1249794

SAP AG 2003, Setup BI 7, Roland Kramer / 12

SAP AG

Delta 7

Course Overview - 12

Add NWEP System in Access Control List (ACL)

Note: for Double stack Installations the CN must be different and the ACL points to the Issued System with client 000 (EP default)

SAP AG 2003, Setup BI 7, Roland Kramer / 13

This Configuration step is done automatically, if all pre requisites are fulfilled to start and run the NetWeaver Administrator Template Installer (CTC). login/accept_sso2_ticket = 1 login/create_sso2_ticket = 2 icm/host name full

System parameter/settings

To enable the Internet browser accept the SSO2 cookie, you must enter a fully qualified host name in accordance with notes 434918 and 654982. SAPSECULIB / SAPCRYPTOLIB You must use the SAP Security Library or the SAP Cryptographic Library. Transaction STRUST Transaction STRUSTSSO2

In this transaction, you define which systems are meant to accept logon tickets. This is necessary, for example, when you want to access data from one system of a BI application to another application of another system, without having to log on again. Documentation http://service.sap.com/security https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c270a01-0010-d5a9-9cb9ddcb6bce (New improved security features with NetWeaver 7.0)

SAP AG

Delta 7

Course Overview - 13

Checking the Correct Start of the SSO Configuration

SAP AG 2003, Setup BI 7, Roland Kramer / 14

### NetWeaver 7.0 WebAS Parameters rdisp/start_icman = TRUE icm/conn_timeout = 10000 icm/HTTP/max_request_size_KB = 102400 icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR=d:\usr\sap\N4S\DVEBMGS01\data\cache icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=./admin icm/HTTPS/verify_client = 1 icm/server_port_0 = PROT=HTTP,PORT=80$$,TIMEOUT=60,PROCTIMEOUT=900 icm/server_port_1 = PROT=HTTPS,PORT=82$$,TIMEOUT=60,PROCTIMEOUT=900 icm/server_port_2 = PROT=SMTP,PORT=25$$,TIMEOUT=60,PROCTIMEOUT=900 icm/host_name_full = PWDF2142.wdf.sap.corp icm/keep_alive_timeout = 60 icm/listen_queue_len = 512 icm/max_conn = 300 icm/max_sleep = 2000 icm/max_threads = 30 icm/min_threads = 10 is/SMTP/virt_host_0 = *:25$$ is/HTTP/show_detailed_errors = 1 login/accept_sso2_ticket = 1 login/create_sso2_ticket = 2 mpi/total_size_MB = 120 mpi/max_pipes = 4000 ssl/ssl_lib = $(DIR_EXECUTABLE)\sapcrypto.dll sec/libsapsecu = $(DIR_EXECUTABLE)\sapcrypto.dll ssf/ssfapi_lib = $(DIR_EXECUTABLE)\sapcrypto.dll ssf/name = SAPSECULIB
SAP AG

Delta 7

Course Overview - 14

Usage of the SAP Web Dispatcher (note 538405)

SAP AG 2003, Setup BI 7, Roland Kramer / 15

See online help http://help.sap.com/saphelp_nw04/helpdata/en/ 7c/d55316da1843669b0e5ef000e3517f/frameset.htm for more details of the configuration. Whenever you want to scale Java Instances like the abap instances (central instance with application servers) the web dispatcher is needed for the load balancing If SAP Systems are accessed from the Internet via DMZ, the abap and java Instances must be available via web dispatcher. These addresses are later used instead of the real server addresses from abap and java. You can modify the CTC BI-Java Template before you start the configuration web dispatcher for Abap used in the entry SAP_BW in the Systemlandscape in Java web dispatcher for Java used in the table entry RSPOR_T_PORTAL in Abap

Setting Up and usage of the web dispatcher:

SAP AG

Delta 7

Course Overview - 15

Checking the BSP Services with Transaction SICF

SAP AG 2003, Setup BI 7, Roland Kramer / 16

Note 517484 - Inactive services in the Internet Communication Framework This is the overview web tree for the web services. Black indicates that the service is active Grey would indicate that the service in inactive Blue indicates that the service is active, but the underlying service is still inactive. Use the Feature to activate all underlying services also (Recommended way even when no service is under the active service.)

Note that for the SEM cockpit and for the WAS standard login also some services in the basis section had to be active. The alias public should also turned to be active You can also define your own aliases to have shorter web URLs, e.g. /sap/BW/BEx /web

SAP AG

Delta 7

Course Overview - 16

Checking the BI Service with Transaction SICF

SAP AG 2003, Setup BI 7, Roland Kramer / 17

Please make sure that the whole tree in BI has a active compression flag, especially the sap/BI/bex and the sap/BI/Mime tree. You can do this once and transport this settings through your system Landscape Please note that sometime corrections in the basis support packages an deactivate the service by accident. Than you simply have to turn the service back to active.

SAP AG

Delta 7

Course Overview - 17

Testing the BEx Service with Transaction SICF

SAP AG 2003, Setup BI 7, Roland Kramer / 18

When you change something in a service, the service keeps active all the time. You dont have to restart the service. The Button Test Service switches directly to the web output without having a web query ready. http://server.domain.ext:<port>/sap/bw/bex?sap-language=DE&template_id=0ANALYZER Note 970002 - Which BEx Analyzer version is called by RRMX? Transaction RRMX_CUST Note 966043 - BEx Analyzer: Calling queries with RRMXP

Test Java HTTP:

SE38 RS_TEMPLATE_MAINTAIN_70 0ANALYSIS_PATTERN Test Web

Test Abap HTTP:

SE38 RS_TEMPLATE_MAINTAIN 0ANALYSIS Test Web

SAP AG

Delta 7

Course Overview - 18

Checking the Web Protocol (RSCUSTV15)

See note 512337 for more details. If you wish to switch to HTTPS and SSO access, please consult the notes 510007 and 391953 in advance. From SPS14 NetWeaver 7.0 the automatic configuration for HPPS protocol is handled by the CTC BI-Java, see Note 983156

SAP AG 2003, Setup BI 7, Roland Kramer / 19

The Default Setting is HTTP. In most of the cases there is no Change to HTTPS necessary. However enabling the full HTTPS Environment is always possible with this configuration.

SAP AG

Delta 7

Course Overview - 19

IE 6.x Explorer Settings for Caching Data

SAP AG 2003, Setup BI 7, Roland Kramer / 20

SAP AG

Delta 7

Course Overview - 20

Copyright 2008 SAP AG All rights reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen knnen ohne vorherige Ankndigung gendert werden. Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte knnen Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwhnte SAP-Produkte und Services sowie die dazugehrigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Lndern weltweit. Alle anderen in diesem Dokument erwhnten Namen von Produkten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte knnen lnderspezifische Unterschiede aufweisen. Die in diesem Dokument enthaltenen Informationen sind Eigentum von SAP. Dieses Dokument ist eine Vorabversion und unterliegt nicht Ihrer Lizenzvereinbarung oder einer anderen Vereinbarung mit SAP. Dieses Dokument enthlt nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP-Produkts und ist fr SAP nicht bindend, einen bestimmten Geschftsweg, eine Produktstrategie bzw. -entwicklung einzuschlagen. SAP bernimmt keine Verantwortung fr Fehler oder Auslassungen in diesen Materialien. SAP garantiert nicht die Richtigkeit oder Vollstndigkeit der Informationen, Texte, Grafiken, Links oder anderer in diesen Materialien enthaltenen Elemente. Diese Publikation wird ohne jegliche Gewhr, weder ausdrcklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschlielich, hinsichtlich der Gewhrleistung der Marktgngigkeit und der Eignung fr einen bestimmten Zweck sowie fr die Gewhrleistung der Nichtverletzung geltenden Rechts. SAP bernimmt keine Haftung fr Schden jeglicher Art, einschlielich und ohne Einschrnkung fr direkte, spezielle, indirekte oder Folgeschden im Zusammenhang mit der Verwendung dieser Unterlagen. Diese Einschrnkung gilt nicht bei Vorsatz oder grober Fahrlssigkeit. Die gesetzliche Haftung bei Personenschden oder die Produkthaftung bleibt unberhrt. Die Informationen, auf die Sie mglicherweise ber die in diesem Material enthaltenen Hotlinks zugreifen, unterliegen nicht dem Einfluss von SAP, und SAP untersttzt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewhrleistungen oder Zusagen ber Internetseiten Dritter ab. Alle Rechte vorbehalten.

SAP AG 2003, Setup BI 7, Roland Kramer / 21

SAP AG

Delta 7

Course Overview - 21