Good day

We are looking to implement ESS\MSS on NetWeaver 7.5. We installed SAP NetWeaver 7.5 AS Java, deployed ESS 633, MSS 630, PCUI_GP 633. but when we wanted to patch the system, Mopz complained about not being able to recognise this components. please see attached images. Even synchronization has warning in LMBD.

I tried to read up on NetWeaver 7.5 and XSS, but there not a lot of information available. Does anyone have some infor for me. more specifically what to deploy.

https://wiki.scn.sap.com/wiki/display/ERPHCM/How+to+determine+the+correct+component+combination+in+ESS+WD+JAVA

the link above says you can choose not to deploy anything and use Web Dynpro ABAP (WDA). Any information about the role to import from backend and use it in Portal

thanks in advance

regards

Steven

Hi

I am quite new to SAP Netweaver Portal.

I found some javascript functionalities of htmlb taglib are not working in IE Standards mode. Is there an alternative to HTMLB taglib to use in our portal application ? Or there is a different approach to the problem ?

I can explain my problem in detail if needed.

Thanks in advance.

Dear SAP Basis Gurus and SAP Abap Gurus,

I am executing a sap report to create business partner in SAP CRM system. Now i have used parallel processing methodology in this report for business partner creation.

This report works fine with 80% of total dialogue processors in the system(quality/development/testing sap servers) used with multiple batch jobs in parallel (example if total dialogue processes in system is 100 then i schedule this report with 10 batch jobs and 8 dialogue processor per batch job).

But in production system we have 12 application servers with (150 dialogue processors, 20 update 1, 10 update 2 and 30 batch processes) per application server. So total resource is

dialogue processor : 1800

update 1: 240

update 2 : 120

batch jobs available: 360

Now i am scheduling the business partner creation report with 84 batch jobs and assigned 17 dialogue processor per batch job.

But only 7-8 jobs are remaining active after scheduling and updating the database creating customer and rest of the jobs are finished in 1 second without updating anything (note: there is nothing wrong with data creation as we write application log for error while data creation and nothing has come up in application log). Now i reprocesses the rest of the batch jobs which completed in 1 second earlier and didn't update, again 7-8 jobs are remaining active and creating business partner and rest of them are finished in 1 second and so on.

This report is working fine in other sap systems like quality/development/testing, and this problem is only happening in production.

I am not at all familiar with basis configurations, So kindly help me out with this issue.

Thanks for your help

Sudipto

Hello !

We're on Windows 2012 with SQL/HANA for our SAP systems.

We're running into a weird problem where sporadically the OS becomes

unresponsive.

As a result, SAP malfunctions/becomes unresponsive & we're not able to

RDP in to the server.

On hard rebooting, everything's Ok.

This is only happening to the SAP servers.

The non SAP servers in our landscape are Ok.

We're on Version 6.2 Build 9200.

When the OS freezes, SAP is still up most times...but things like

transports don't work (since OS files are inaccessible).

Also, SICK goes into the hourglass mode.

Event Viewer does not give any useful information.

Today we had an instance where our Production SCM system CI froze & we

had to reboot it.

Yesterday, it happened with our ECC Production Cluster server.

Since the sapmnt share was accessible (even though RDP was not), the

system did not go down...but in a few hours the server restarted itself

& failed over to Node 2.

We have a case open with Microsoft too...they've asked us to update the patches...but since the patches have to go in Dev-->QA & then Prod. this would take time.

We were wondering if maybe this is a known issue with a single bug fix or something else that addresses it.

Its also extremely sporadic & random...i.e. its one SAP server today & the other tomorrow...

We also have Symantec installed on all these servers.

Please help advise...

Thanks a lot !

saba.

dear all,

I´m running ecc 6.0 on a win 2012r2 with MSSQL Server 2005.

Now I want to rename a SID but i´m getting this error here, can someone help me please.

##########

INFO 2016-04-05 05:51:39.036 (SAPSDV\Administrator)

Execute step getDBUserJava_Source of component |offlineadjustment_dialogs|ind|ind|ind|ind|0|0

INFO 2016-04-05 05:51:40.695 (SAPSDV\Administrator)

Execution of the command "C:\Users\ADMINI~1\AppData\Local\Temp\3\sapinst_exe.6372.1459827975\jre\bin\java.exe -classpath E:\usr\sap\SDV\SYS\global\sltools\sharedlib\sap.com~tc~bl~offline_launcher~impl.jar com.sap.engine.offline.OfflineToolStart com.sap.inst.secstore.GetDBConnectInfo E:/usr/sap/SDV/SYS/global/security/lib/tools;E:/usr/sap/SDV/SYS/global/sltools/sharedlib;E:\change_sid/COMMON/INSTALL -sec E:/usr/sap/SDV/SYS/global/security/data/SecStore.properties -sid SDV" finished with return code 1. Output: Exception in thread "main" java.lang.NoClassDefFoundError: com/sap/engine/offline/OfflineToolStart

Caused by: java.lang.ClassNotFoundException: com.sap.engine.offline.OfflineToolStart

  at java.net.URLClassLoader$1.run(URLClassLoader.java:255)

  at java.security.AccessController.doPrivileged(Native Method)

  at java.net.URLClassLoader.findClass(URLClassLoader.java:243)

  at java.lang.ClassLoader.loadClass(ClassLoader.java:376)

  at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:344)

  at java.lang.ClassLoader.loadClass(ClassLoader.java:317)

Could not find the main class: com.sap.engine.offline.OfflineToolStart.  Program will exit.

ERROR 2016-04-05 05:51:40.707 (DRACO\Administrator) id=nw.syscopy.storagecopy.secstore.GetDBUserJavaFailed errno=CJS-30249

<p style="margin-top: 0"> Cannot retrieve Java database user, see output of log file 'C:\Program Files\sapinst_instdir\NW73\SBC\STANDARD\getDBConnectInfo.log'. </p>

ERROR 2016-04-05 05:51:40.747 (DRACO\Administrator) id=controller.stepExecuted errno=FCO-00011

The step getDBUserJava_Source with step key |offlineadjustment_dialogs|ind|ind|ind|ind|0|0|getDBUserJava_Source was executed with status ERROR ( Last error reported by the step: <p style="margin-top: 0"> Cannot retrieve Java database user, see output of log file 'C:\Program Files\sapinst_instdir\NW73\SBC\STANDARD\getDBConnectInfo.log'. </p>).

INFO 2016-04-05 05:51:40.884 (DRACO\Administrator)

Creating file C:\Program Files\sapinst_instdir\NW73\SBC\STANDARD\__instana_tmp.xml.

############

What i´m missing please?

regards,

Nelson\

Once when we create an exception operation mode and when it is active, the timetable does not display which mode is then currently active.(even though it displays before the mode being active).So my point of concern is:

1. Is it a normal behavior ?

2.If so, how do we check the same after a particular number of days ( say a date so that the system log also gets cleared by then ).

Kindly help me out with this.

Thanks in advance

Edu Krishnan

Hi, I've got a requirement to limit what fields users with a specific role can edit.

I've made a personas screen and made all the intended fields read only my selecting them all clicking on "More options" and then selecting "Read only" within personas and then assigned the screen to all users with the intended role in /personas/admin transaction.

The problem is making the fields read only following the above process does not remove F4 help, so users with the role can simply press F4 and select whatever it was they wanted to add.

Does anyone know how to remove F4 help from fields within SAP screen personas 3.0, when i click on "insert" "text field" "F4 help" it shows nothing on the field.

Regards,

Rob.

Hi,

we are looking for an option in web dispatcher Through that we can hide the re-directed URL completely.

Current behavior

Webdispatcher URL: - http://web.abc.com

After login :- http://web.abc.com/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html?

My query is that I want to completely hide the URL even after login also. after login it shows me complete URL ‘http://web.abc.com/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html?’

Please advise.

Profile parameter which is set.

#-----------------------------------------------------------------------

# SAP Web Dispatcher Ports

#-----------------------------------------------------------------------

icm/server_port_1 = PROT=HTTP,HOST=webdesp,PORT=80

icm/server_port_0 = PROT=HTTPS,HOST=webdesp,PORT=443,TIMEOUT=180,PROCTIMEOUT=600,VCLIENT=0

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=81$$

icm/HTTP/redirect_0 = PREFIX=/,TO=/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html?

icm/HTTP/mod_0=PREFIX=/,FILE=d:/usr/sap/DSP/SYS/profile/mod_sapwebdisp

ms/https_port = 443

icm/traffic_control = NETTIMEOUT=60

mod_sapwebdisp :-

if %{HTTP_HOST} regimatch "web.abc.com*"

RegIRewriteUrl ^/$ /sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html?

Regards

Amit Sisodia

Hi all,

on an old BW doublestack we enjoyed the fact that users could address both ABAP and JAVA Stack with a single https://host:port on AS ABAP’s ICM. This way we avoided SSO cookie conflicts with other systems in the same DNS domain (by setting MYSAPSSO2-cookies to host using ume.logon.security.relax_domain.level = 0 according to note 1368384 and profile parameter login/ticket_only_to_host=1). We want a single port because everybody enjoys using standard https port 443 that can be omitted in URLs.

As far as I understand the old functionality everything starting with /sap/ was forwarded to AS ABAP and everything else to AS JAVA. Is this assumption correct?

So with a new BW landscape (of course consisting of two stacks) I would like to achieve this behavior by using a shared SAP Web Dispatcher in front of both systems.

Is configuration really as simple as I derive from:

https://help.sap.com/saphelp_nw73/helpdata/en/49/3db10a19341067e10000000a42189c/content.htm ?

icm/server_port_1 = PROT=HTTPS, PORT=443,SSLCONFIG=ssl_config_0

wdisp/system_0 = SID=ABA, MSHOST=ms_abap, MSPORT=8082, SRCURL=/sap/;/SAML2;/NWBC

wdisp/system_1 = SID=J2E, MSHOST=ms_j2ee, MSPORT=8127, SRCURL=/

wdisp/system_conflict_resolution = 1

Am I missing something or will this work?

(Of course I will have to terminate SSL and reencrypt traffic)

Would somebody please share experience?

Thanks a lot,

Lutz

Imagine that you purchased a SSL certificate from a given CA. This certificate was imported into a SSL PSE and used for HTTPS access. In certain landscapes, the same certificate should be imported in a different server or device (e.g. a reverse proxy). In order to import the certificate into the other server/device, you also need the private key from the PSE. How to export the private key from the SSL PSE?

First of all, SAPCRYPTOLIB 5.5.5 patch level 16 or higher is required. Then you can export your PSE file to a PKCS#12 file.

The command line is: sapgenpse export_p12 –p <YOUR_PSE> <P12_FILE>

Please note that you must provide a password for the PKCS#12 file!

Example:

The next step makes use of a third party tool, openssl. With this tool we can extract both keys (private and public one).

The openssl command line is: openssl pkcs12 -in <P12_FILE> -out <OUTPUT.txt> -nodes:

The same password must be provided above.

The Private Key is now available in the block BEGIN/END RSA PRIVATE KEY, as you can see below:

Of course, I have removed my private key… ;-)

CAs around the world only sign certificate requests with key length equal (or higher than) 2048 bits. If you have a PSE with key length equal to 1024 bits, then you cannot create such certificate request (with 2048 bits).

The solution is replacing the SSL PSE and then adjusts the Key Length property.

Scenario with Key Length = 1024 bits

The PSE has the key length = 1024 bits (for a system with kernel 7.20 or higher you can have this information via STRUST):

You can also obtain the key length information using sapgenpse, with the command: sapgenpse get_my_name -p SAPSSLS.pse:

Replacing the PSE

Via STRUST, you can use the context menu and select the option "Replace":

You need to confirm the PSE replacement:

Select the new Key Length (i.e. 2048):

Now inform the instance specific CN, according to the application servers you have (in the example below, only one application server exists):

Now it is possible to create the certificate request, submit to any CA, and then import the certificate response.

Scenario with Key Length = 2048 bits

As the result of the PSE replacement, it is possible to check the new key length:

More information

SAP note 1178155 provides the steps to replace the PSE in productive environments.

SAP note 1856192 shows how to have a PSE with key length > 2048 bits.

You may also read the following blogs:

• Use of SHA-2 algorithm family in SSL PSEs
• Use of SHA-2 algorithm family in SSL PSEs, part 2
• Verification of Certificate chain failed
  

The process of creating a certificate request (CSR) and import the certificate response, received from the CA, is not always simple as it looks like. The objective here is to make life easier using the principle: "a picture is worth a thousand words".

How to create the CSR?

The first step is double click on the web application server name:

Now click on the “Create Certificate Request” button:

Now it is possible to submit the CSR to any CA:

How to import the certificate response?

Once response from the CA arrived, it is possible to import the certificate response. Just click on the "Import Cert. Response" button, available in the "Own Certificate" section:

It is necessary to paste the certificate response along with the intermediate and the root certificate - there can be no, one or more intermediate certificates.

In this example, there is only the root certificate that is appended to the end of block.

Finally, click on the green ticket:

Note that now there is no "(Self-Signed)" message bellow the DN of the certificate (see green rectangle). Now save the PSE (see arrow):

The ICM processes need to be restarted, if the release is lower than 7.02 (details in SAP note 510007):

By double clicking the DN of the certificate, it is possible to have more information about it:

In higher releases, you will also find the Algorithm, the Key Length and SAN information.

The ICM should be restarted (again, if the release is lower than 7.02) via transaction code SMICM (confirm the restart of the ICM processes):

Instead of using the user ID and password to access a service from the Web Application Server ABAP via HTTPS, it is possible to use a client certificate for authentication purposes.

Import the CA certificate into the SSL server Standard

As a given user ID holds a certificate from a trusted CA, the certificate from the CA must be imported into the SSL server Standard PSE via STRUST. Just click on the button highlighted by the red rectangle:

Once the certificate is loaded, just click in the "Add to Certificate List" button (see "1" in red); the certificate will be displayed in the "Certificate List" section (see "2" in red):

Maintain the client certificate

It is necessary to map the client certificate with the actual user ID in the ABAP system. It is time to use transaction code SM30, loading maintenance view "VUSREXTID":

The "External ID type" is "DN":

Click on the "New Entries" button to add the client certificate (DN) and map to the existent user ID in the ABAP side:

Inform the External ID (the DN field of the client certificate), the user ID (as created in transaction code SU01), then mark the "Activated" checkbox and save the entry. The information presented is:

There are cases where the DN length from the user ID exceeds the length of column EXTID in table USREXTID. This is not a problem: just use the button highlighted (red square) above to load the actual certificate. The system is able to store the entire subject name in the database table or calculates a hash value (and store the original subject name in a second database table).

At last, but not least, profile parameter icm/HTTPS/verify_client must be set to 1 (if the system should accept the client certificate) or 2 (the use of client certificates is mandatory).

Test if the SSO is working

For testing purposes, I used the WEBGUI internet service (via HTTPS) to test if the SSO works (assuming that the WEBGUI was correctly setup in the system): https://<FQDN>:<HTTPS port>/sap/bc/gui/sap/its/webgui

The SM50 logon trace (SAP note 495911) shows the following:

You can read more about the use of X.509 certificates in AS ABAP in the SAP Help page.

There are three different scenarios involving the SAP Web Dispatcher (WDP) and HTTPS access: SSL Termination (in the WDP), SSL Re-encryption and End to End SSL. This blog will present the first scenario.

Prerequisites

• SAP Web Dispatcher 7.20 or higher
• SAPCRYPTOLIB 5.5.5 patch level 24 or higher (in this blog pl 32 was used)

Profile parameters

The standard SSL configuration demands the following three parameters:

ssl/ssl_lib     = <path>\sapcrypto.dll

ssl/server_pse  = <path>\SAPSSLS.pse

ssl/client_pse  = <path>\SAPSSLC.pse

As the WDP 7.20 (and higher) can connect to different systems, the following parameters were set:

wdisp/system_0 = SID=AAA, MSHOST=<FQDN1>, MSPORT=8100, SRCSRV=webdispatcher.foo.bar:10000

wdisp/system_1 = SID=BBB, MSHOST=<FQDN2>, MSPORT=8171, SRCSRV=webdispatcher.foo.bar:10001

The server ports also must be defined:

icm/server_port_0 = PROT=HTTP,PORT=9999

icm/server_port_1 = PROT=HTTPS,PORT=10000

icm/server_port_2 = PROT=HTTPS,PORT=10001

As the WDP will terminate the SSL communication, the parameter below must be set:

wdisp/ssl_encrypt = 0

At last, but not least, for testing purposes, the HTML dump into the trace will be enabled, along with a trace level 3. Important: the trace files will be HUGE! The parameters below should be set only for a quick test or for error analysis. The default trace level (i.e. 1) must be used in productive systems (and for security matters, the HTML dump should not be active).

icm/trace_secured_data = 1

rdisp/TRACE = 3

Checking the configuration

As soon as the profile file is saved, one can test the configuration by running:

sapwebdisp pf=sapwebdisp.pfl -checkconfig

A result similar to the following should be seen:

Checking SAP Web Dispatcher Configuration

=========================================

maximum number of sockets supported on this host: 8192

Server info will be retrieved from host: <FQDN1>:8100 with protocol: http

Checking connection to message server of system AAA...OK

Retrieving server info from message server...OK

Message Server instance list of system AAA

+---------------------+---------------------+---------+----------+

| instance name    |    hostname         |HTTP port|HTTPS port|

+---------------------+---------------------+---------+----------+

|         HOST_AAA_00 |<FQDN1>              |    8000 | 443  |

+---------------------+---------------------+---------+----------+

Checking ABAP servers with URL "/sap/public/icman/ping":

Checking ABAP server http://<FQDN1>:8000...OK

Checking J2EE servers with URL "/index.html":

No server group "!J2EE" defined

Server info will be retrieved from host: <FQDN2>:8171 with protocol: http

Checking connection to message server of system BBB...OK

Retrieving server info from message server...OK

Message Server instance list of system BBB

+---------------------+---------------------+---------+----------+

| instance name    |    hostname         |HTTP port|HTTPS port|

+---------------------+---------------------+---------+----------+

| HOST_BBB_71 |<FQDN2>              |    8071 | 443  |

+---------------------+---------------------+---------+----------+

Checking ABAP servers with URL "/sap/public/icman/ping":

Checking ABAP server http://<FQDN<:50071...OK

Checking J2EE servers with URL "/index.html":

No server group "!J2EE" defined

Retrieving group info with HTTP from server <FQDN1>:8000...OK

Defined server groups:

+---------------------+----------+

| group name      | #entries |

+---------------------+----------+

|               !DIAG |       3 |

|              !DIAGS |       3 |

|                !ALL |       3 |

+---------------------+----------+

Retrieving url info with HTTP from server <FQDN1>:8000...OK

Url map info file "/sap/public/icf_info/icr_urlprefix" is OK

Contents of url map file:

+---------------------+---------------------+--------------------+

|        URL          |        Group        | virtual host     |

+---------------------+---------------------+--------------------+

|              /nwbc/ |                     |                *:*;|

|               /sap/ |                     |                *:*;|

|               /srm/ |                     |                *:*;|

+---------------------+---------------------+--------------------+

Check ended with 0 errors, 0 warnings

The WDP is now ready to work!

Analyzing the scenario and the dev_webdisp trace file

The backend is emitting a warning in the logon screen, since the WDP is terminating the SSL:

In this case, the service in SICF can be set to avoid issuing warnings:

The dev_webdisp has plenty information available. From the test above it is possible to see the moment the request reached the WDP:

"...

[Thr 7540] IcmWorkerThread: worker 4 got the semaphore

[Thr 7540] REQ TRACE BEGIN: 0/207/1

[Thr 7540] REQUEST:

    Type: ACCEPT_CONNECTION    Index = 24

[Thr 7540] CONNECTION (id=0/207):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 103, protocol: HTTPS(2)

    local host:  <WDP IP>:10000 ()

    remote host: <Client IP>:50098 ()

    status: NOP

    connect time: xx.zz.yyyy aa:bb:cc

    MPI request:        <0>      MPI response:        <0>  

request_buf_size:   0        response_buf_size:   0    

request_buf_used:   0        response_buf_used:   0    

request_buf_offset: 0 response_buf_offset: 0    

..."

Next it is possible to check the SSL handshake between the client and the server (WDP):

"...

[Thr 7540] ->> SapSSLSessionInit(&sssl_hdl=000000000296C6E0, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

[Thr 7540] <<- SapSSLSessionInit()==SAP_O_K

[Thr 7540]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

[Thr 7540]     out: sssl_hdl = 0000000000566A80

[Thr 7540] ->> SapSSLSetNiHdl(sssl_hdl=0000000000566A80, ni_hdl=103)

[Thr 7540] NiIBlockMode: set blockmode for hdl 103 TRUE

[Thr 7540]   SSL NI-sock: local=<WDP IP>:10000 peer=<Client IP>:50098

[Thr 7540] <<- SapSSLSetNiHdl(sssl_hdl=0000000000566A80, ni_hdl=103)==SAP_O_K

[Thr 7540] ->> SapSSLSessionStart(sssl_hdl=0000000000566A80)

[Thr 7540] Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:SSL_RSA_EXPORT_WITH_RC4_40_MD5"

[Thr 7540] Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_MD5"

[Thr 7540]   No Client Certificate

[Thr 7540]   New session (TLSv1.0)

[Thr 7540]   HexDump of native SSL session ID { &buf= 0000000002A63F24, buf_len= 32 }

[Thr 7540] 00000: 3e a1 0f 16 d4 da 2c d8  0e df 81 df f7 fd e1 8e   >.....,. ........

[Thr 7540]    00010: 1b d9 31 11 77 32 33 9b  23 66 90 fc 36 97 e3 ed   ..1.w23. #f..6...

[Thr 7540] <<- SapSSLSessionStart(sssl_hdl=0000000000566A80)==SAP_O_K

[Thr 7540] status = "new SSL session, NO client cert"

..."

The request is then read from the connection:

"...

[Thr 7540] IcmReadFromConn(id=0/207): read 631 bytes, 1 readops (timeout 0)

[Thr 7540] Address Offset  IcmReadFromConn received

[Thr 7540] ------------------------------------------------------------------------

[Thr 7540] 0000000003F16058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|

[Thr 7540] 0000000003F16068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|

[Thr 7540] 0000000003F16078 000032  5454502f 312e310d 0a416363 6570743a |TTP/1.1..Accept:|

[Thr 7540] 0000000003F16088 000048  20617070 6c696361 74696f6e 2f782d6d | application/x-m|

..."

The WDP will reach the web application server ABAP via HTTP:

"...

[Thr 7540] HttpPortTableMatchPort: Port 0, webdispatcher.foo.bar:10000 (<WDP IP>:10000) matches request

[Thr 7540] ICR: IcrFindTargetSystem(0000000002A78020, '/sap/bc/gui/sap/its/webgui' -> 0

[Thr 7540] HttpGetRouteTargetSystem: SID='AAA'

[Thr 7540] ICT: IctLookupPathTable() -> 0

[Thr 7540] HTR: found stack ABAP for URL /sap/bc/gui/sap/its/webgui

[Thr 7540] HTR: routing destination type = ICF/ABAP .

[Thr 7540] HTR: No esid found in request

[Thr 7540] HTR: HtrIExtractSessionID -> '' 0

[Thr 7540] HTR: stateless request (no valid session ID found) or initial request for stored session id

[Thr 7540] ICR: IcrIGetMinLoadServer: server 'HOST_AAA_00'1 delta=400 load=0/8800valid=1 resp=1 capacity=10

[Thr 7540] ICR: IcrIFindMatchingPort for prot=0 stack=1 vhost=-1

[Thr 7540] ICR: IcrIFindMatchingPort: compare with 0 0 8000 10

[Thr 7540] ICR: IcrIFindMatchingPort: found matching port: prot=0 vhost=0 port=8000 f=10

[Thr 7540] ICR: IcrIGetMinLoadServer: near-zero load #0: HOST_AAA_00

[Thr 7540] ICR: IcrAttachToServer: next destination server 'HOST_AAA_00'1 10 1 0 port:8000/0/0

..."

A few seconds later the WDP sends the request to the application server:

"...

[Thr 7540] local host: <WDP IP>:50099

[Thr 7540] remote host: <WAS IP>:8000

[Thr 7540] HTR: forwarding buffer to server (631)

[Thr 7540] Address Offset  Send to AppServer via net:

[Thr 7540] ------------------------------------------------------------------------

[Thr 7540] 0000000003F16058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|

[Thr 7540] 0000000003F16068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|

[Thr 7540] 0000000003F16078 000032  5454502f 312e310d 0a616363 6570743a |TTP/1.1..accept:|

[Thr 7540] 0000000003F16088 000048  20617070 6c696361 74696f6e 2f782d6d | application/x-m|

..."

A response is received from the application server:

"...

[Thr 7540] Address Offset  IcmReadFromPartner received

[Thr 7540] ------------------------------------------------------------------------

[Thr 7540] 0000000003F16058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|

[Thr 7540] 0000000003F16068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|

[Thr 7540] 0000000003F16078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|

..."

The response is then encrypted and sent to the web browser:

"...

[Thr 7540] IcmPlCheckRetVal: Next status: READ_REQUEST(1)

[Thr 7540] IcmHandleNetWrite(id=0/207): HandleServData returned: 1

[Thr 7540] Address Offset  IcmWriteToConn:

[Thr 7540] ------------------------------------------------------------------------

[Thr 7540] 0000000003F16058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|

[Thr 7540] 0000000003F16068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|

[Thr 7540] 0000000003F16078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|

[Thr 7540] 0000000003F16088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|

..."

Finally, the thread is free to wait a new request:

"...

[Thr 7540] IcmWriteToConn(id=0/207): wrote data to partner (len = 5502)

[Thr 7540] IcmNetBufFree: free netbuf: 0000000000619C30 out of 1 used

[Thr 7540] MPI<5>0#4 DiscardOutbuf 0 0 0 1a5fa0 0 0 -> 0000000003F15FF0 MPI_OK

[Thr 7540] NiWakeupExec: send wakeup signal to 59458->64998 (sock 33016)

[Thr 7540] IcmConnRollOut: connection (id=0/207) rolled out: reason:1 role:1 timeout:60

[Thr 7540] CONNECTION (id=0/207):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 103, protocol: HTTPS(2)

    local host:  <WDP IP>:10000 ()

    remote host: <Client IP>:50098 ()

    status: READ_REQUEST

    connect time: xx.zz.yyyy aa:bb:cc

    MPI request:        <4>      MPI response:        <5>  

request_buf_size:   0        response_buf_size:   0    

request_buf_used:   0        response_buf_used:   0    

request_buf_offset: 0 response_buf_offset: 0    

[Thr 7540] IcmWorkerThread: SSL Session rolled out

[Thr 7540] REQ TRACE END: 0/207/1

[Thr 7540] IcmWorkerThread: Thread 4: Waiting for event

..."

If the parameter “icm/trace_secured_data = 1” is not set, it is not possible to see the HTML content. The following log entry appears:

"…

BINDUMP of content denied

…"

Stay tuned for my next blog about SSL Re-encryption in the SAP Web Dispatcher!

There are three different scenarios involving the SAP Web Dispatcher (WDP) and HTTPS access: SSL Termination (in the WDP), SSL Re-encryption and End to End SSL. This blog will present the second scenario.

Prerequisites

• SAP Web Dispatcher 7.20 or higher
• SAPCRYPTOLIB 5.5.5 patch level 24 or higher (in this blog pl 32 is used)

Profile parameters

The standard SSL configuration demands the following three parameters:

ssl/ssl_lib     = <path>\sapcrypto.dll

ssl/server_pse  = <path>\SAPSSLS.pse

ssl/client_pse  = <path>\SAPSSLC.pse

As the WDP 7.20 or higher can connect to different systems, the following parameters were set:

wdisp/system_0 = SID=AAA, MSHOST=<FQDN1>, MSPORT=8100, SRCSRV=webdispatcher.foo.bar:10000

wdisp/system_1 = SID=BBB, MSHOST=<FQDN2>, MSPORT=8171, SRCSRV=webdispatcher.foo.bar:10001

The server ports also must be defined:

icm/server_port_0 = PROT=HTTP,PORT=9999

icm/server_port_1 = PROT=HTTPS,PORT=10000

icm/server_port_2 = PROT=HTTPS,PORT=10001

As the WDP will perform a re-encryption of the data, the parameter below must be set:

wdisp/ssl_encrypt = 1

At last, but not least, for testing purposes, the HTML dump into the trace will be enabled, along with a trace level 3. Important: the trace files will be HUGE! The parameters below should be set only for a quick test or for error analysis. The default trace level (i.e. 1) must be used in productive systems (and for security matters, the HTML dump should not be active).

icm/trace_secured_data = 1

rdisp/TRACE = 3

Checking the configuration

As soon as the profile file is saved, one can test the configuration by running:

sapwebdisp pf=sapwebdisp.pfl -checkconfig

No error message is expected (the result of the -checkconfig is the same as shown here)

The WDP is now ready to work!

Analyzing the scenario and the dev_webdisp trace file

Similar to other scenarios, the trace level 3 recorded in the dev_webdisp has plenty information. From a test calling a giving internet service (WEBGUI, for example) it is possible to see the moment the request reached the WDP:

"...

[Thr 6876] IcmWorkerThread: worker 2 got the semaphore

[Thr 6876] REQ TRACE BEGIN: 0/18/1

[Thr 6876] REQUEST:

    Type: ACCEPT_CONNECTION    Index = 2

[Thr 6876] CONNECTION (id=0/18):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 147, protocol: HTTPS(2)

    local host:  <WDP IP>:10000 ()

    remote host: <Client IP>:53691 ()

    status: NOP

    connect time: xx.zz.yyyy aa:bb:cc

    MPI request:        <0>      MPI response:        <0>  

request_buf_size:   0        response_buf_size:   0    

request_buf_used:   0        response_buf_used:   0    

request_buf_offset: 0 response_buf_offset: 0    

..."

Next it is possible to check the SSL handshake between the client and the server (WDP):

"...

[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=0000000002C5C6E0, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K

[Thr 6876]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

[Thr 6876]     out: sssl_hdl = 0000000002D7D810

[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)

[Thr 6876] NiIBlockMode: set blockmode for hdl 147 TRUE

[Thr 6876]   SSL NI-sock: local=<WDP IP>:10000 peer=<Client IP>:53691

[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)==SAP_O_K

[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7D810)

[Thr 6876] Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:SSL_RSA_EXPORT_WITH_RC4_40_MD5"

[Thr 6876] Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_MD5"

[Thr 6876]   No Client Certificate

[Thr 6876]   New session (TLSv1.0)

[Thr 6876]   HexDump of native SSL session ID { &buf= 0000000002D53EE4, buf_len= 32 }

[Thr 6876]    00000: 5f d1 b3 37 34 1f 33 fc  84 a5 d8 c3 01 4f fe b1   _..74.3. .....O..

[Thr 6876] 00010: 33 99 af e4 20 0f 1a 88  77 24 e2 2f 4a d8 64 c6   3... ... w$./J.d.

[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7D810)==SAP_O_K

[Thr 6876] status = "new SSL session, NO client cert"

..."

The request is then read from the connection:

"...

[Thr 6876] IcmReadFromConn(id=0/18): read 443 bytes, 1 readops (timeout 0)

[Thr 6876] Address Offset  IcmReadFromConn received

[Thr 6876] ------------------------------------------------------------------------

[Thr 6876] 0000000003F76058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|

[Thr 6876] 0000000003F76068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|

[Thr 6876] 0000000003F76078 000032  5454502f 312e310d 0a416363 6570743a |TTP/1.1..Accept:|

[Thr 6876] 0000000003F76088 000048  202a2f2a 0d0a4163 63657074 2d4c616e | */*..Accept-Lan|

..."

The WDP will reach the web application server ABAP via HTTPS:

"...

[Thr 6876] HttpPortTableMatchPort: Port 0, webdispatcher.foo.bar:10000 (<WDP IP>:10000) matches request

[Thr 6876] ICR: IcrFindTargetSystem(0000000002D614F0, '/sap/bc/gui/sap/its/webgui' -> 0

[Thr 6876] HttpGetRouteTargetSystem: SID='AAA'

[Thr 6876] ICT: IctLookupPathTable() -> 0

[Thr 6876] HTR: found stack ABAP for URL /sap/bc/gui/sap/its/webgui

[Thr 6876] HTR: routing destination type = ICF/ABAP .

[Thr 6876] HTR: No esid found in request

[Thr 6876] HTR: HtrIExtractSessionID -> '' 0

[Thr 6876] HTR: stateless request (no valid session ID found) or initial request for stored session id

[Thr 6876] ICR: IcrIGetMinLoadServer: server 'HOST_AAA_00'1 delta=400 load=0/0valid=1 resp=1 capacity=10

[Thr 6876] ICR: IcrIFindMatchingPort for prot=1 stack=1 vhost=-1

[Thr 6876] ICR: IcrIFindMatchingPort: compare with 0 0 8000 10

[Thr 6876] ICR: IcrIFindMatchingPort: compare with 1 0 443 10

[Thr 6876] ICR: IcrIFindMatchingPort: found matching port: prot=1 vhost=0 port=443 f=10

[Thr 6876] ICR: IcrIGetMinLoadServer: near-zero load #0: HOST_AAA_00

[Thr 6876] ICR: IcrAttachToServer: next destination server 'HOST_AAA_00'1 10 1 0 port:443/1/0

..."

Since the connection to the server uses HTTPS, a new SSL handshake is necessary:

"...

[Thr 6876] NiHLGetNodeAddr: found hostname '<FQDN WAS>' in cache

[Thr 6876] NiIGetNodeAddr: hostname '<FQDN WAS>' = addr <WAS IP>

[Thr 6876] NiIGetServNo: servicename '443' = port 443

[Thr 6876] NiICreateHandle: hdl 153 state NI_INITIAL_CON

[Thr 6876] NiIInitSocket: set default settings for new hdl 153/sock 32916 (I4; ST)

[Thr 6876] NiIBlockMode: set blockmode for hdl 153 FALSE

[Thr 6876] NiIConnectSocket: hdl 153 is connecting to <WAS IP>:443 (timeout=5000)

[Thr 6876] SiPeekPendConn: connection of sock 32916 established

[Thr 6876] NiICheckPendConnection: connection of hdl 153 to <WAS IP>:443 established

[Thr 6876] NiIConnect: hdl 153 took local address <WDP IP>:53692

[Thr 6876] NiIConnect: state of hdl 153 NI_CONNECTED

[Thr 6876] IcmConnPoolConnect: Connection to host: <FQDN WAS>, service: 443 established (nihdl=153)

[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=00000000026CC6E8, role=1 (CLIENT), auth_type=0 (NO_CLIENT_CERT))

[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K

[Thr 6876]      in: args = "role=3 (ANONYMOUS-CLIENT), auth_type=0 (NO_CLIENT_CERT)"

[Thr 6876]     out: sssl_hdl = 0000000002D7DA30

[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)

[Thr 6876] NiIBlockMode: set blockmode for hdl 153 TRUE

[Thr 6876]   SSL NI-sock: local=<WDP IP>:53692 peer=<WAS IP>:443

[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)==SAP_O_K

[Thr 6876] ->> SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30, &hostname=0000000002D4FE20)

[Thr 6876] <<- SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30)==SAP_O_K

[Thr 6876]      in: hostname = "<FQDN WAS>"

[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7DA30)

[Thr 6876] SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 6876] SecudeSSL_SessionStart(): created new SSL session (TLSv1.0)

[Thr 6876]   Server Certificate available (FCPath-Len= 0)

[Thr 6876]   Server's List of trusted CA DNames (from cert-request message):

[Thr 6876]     #1  "CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??"

[Thr 6876]     #2  "CN=kkkkkkkkkkkk, O=wwwwwwwwww, C=??"

[Thr 6876] secudessl_AddSSL2Cache(): Creating new SSSL_CACHE entry

[Thr 6876]   HexDump of native SSL session ID { &buf= 0000000002D53F64, buf_len= 32 }

[Thr 6876] 00000: 5e 4a f0 f1 1d 0e 94 c8  c8 37 d0 c5 66 4b c1 e0   ^J...... .7..fK..

[Thr 6876] 00010: 80 26 ee b5 b1 0e 36 bb  92 45 10 c9 3a 8d ad e4   .&....6. .E..:...

...

[Thr 6876]   Subject DN: CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??

[Thr 6876] Issuer  DN: CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??

[Thr 6876]   Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA

[Thr 6876] MatchTargetName("<FQDN WAS>", CN="<FQDN WAS>") == EXACT match

[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7DA30)==SAP_O_K

[Thr 6876] status = "new SSL session"

[Thr 6876] Server DN = " CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??"

[Thr 6876] IcmConnPoolNewEntry: created new entry 000000000B8A0930[0] for pool 000000000B809610 (nihdl=153, ssl=0000000002D7DA30)

[Thr 6876] ICR: IcrAttachToServer('!DIAGS' 1 2 4100 1 port:443/1/0) 0-> 0

[Thr 6876] HTR: routing to destination 'HOST_AAA_00' (balanceable=0)

[Thr 6876] server triggered

[Thr 6876]    Pool Entry 000000000B8A0930:

[Thr 6876]    NI: 153, SSL: 0000000002D7DA30, allocated: 1, inuse: 1, desc: 000000000B8096B0

..."

A few seconds later the WDP sends the request to the application server:

"...

[Thr 6876] local host: <WDP IP>:53692

[Thr 6876] remote host: <WAS IP>:443

[Thr 6876] HTR: forwarding buffer to server (443)

[Thr 6876] Address Offset  Send to AppServer via net:

[Thr 6876] ------------------------------------------------------------------------

[Thr 6876] 0000000003F76058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|

[Thr 6876] 0000000003F76068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|

[Thr 6876] 0000000003F76078 000032  5454502f 312e310d 0a616363 6570743a |TTP/1.1..accept:|

[Thr 6876] 0000000003F76088 000048  202a2f2a 0d0a6163 63657074 2d6c616e | */*..accept-lan|

..."

A response is received from the application server:

"...

[Thr 6876] Address Offset  IcmReadFromPartner received

[Thr 6876] ------------------------------------------------------------------------

[Thr 6876] 0000000003F76058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|

[Thr 6876] 0000000003F76068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|

[Thr 6876] 0000000003F76078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|

[Thr 6876] 0000000003F76088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|

[Thr 6876] 0000000003F76098  000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|

[Thr 6876] 0000000003F760A8  000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|

..."

The response is then re-encrypted and sent to the web browser:

"...

[Thr 6876] IcmPlCheckRetVal: Next status: READ_REQUEST(1)

[Thr 6876] IcmHandleNetWrite(id=0/18): HandleServData returned: 1

[Thr 6876] Address    Offset  IcmWriteToConn:

[Thr 6876] ------------------------------------------------------------------------

[Thr 6876] 0000000003F76058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|

[Thr 6876] 0000000003F76068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|

[Thr 6876] 0000000003F76078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|

[Thr 6876] 0000000003F76088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|

[Thr 6876] 0000000003F76098  000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|

[Thr 6876] 0000000003F760A8  000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|

..."

Finally, the thread is free to wait a new request:

"...

[Thr 6876] IcmWriteToConn(id=0/18): wrote data to partner (len = 5243)

[Thr 6876] IcmNetBufFree: free netbuf: 0000000000759C10 out of 1 used

[Thr 6876] MPI<5>0#4 DiscardOutbuf 0 0 0 1a5fa0 0 0 -> 0000000003F75FF0 MPI_OK

[Thr 6876] NiWakeupExec: send wakeup signal to 49627->64998 (sock 33032)

[Thr 6876] IcmConnRollOut: connection (id=0/18) rolled out: reason:1 role:1 timeout:60

[Thr 6876] CONNECTION (id=0/18):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 147, protocol: HTTPS(2)

    local host:  <WDP IP>:10000 ()

    remote host: <Client IP>:53691 ()

    status: READ_REQUEST

    connect time: xx.zz.yyyy aa:bb:cc

    MPI request:        <4>      MPI response:        <5>  

request_buf_size:   0        response_buf_size:   0    

request_buf_used:   0        response_buf_used:   0    

request_buf_offset: 0 response_buf_offset: 0    

[Thr 6876] IcmWorkerThread: SSL Session rolled out

[Thr 6876] REQ TRACE END: 0/18/1

[Thr 6876] IcmWorkerThread: Thread 2: Waiting for event

..."

If the parameter "icm/trace_secured_data = 1" is not set, it is not possible to see the HTML content. The following log entry appears:

"…

BINDUMP of content denied

…"

Stay tuned for my next blog about End-to-End SSL in the SAP Web Dispatcher!

There are three different scenarios involving the SAP Web Dispatcher (WDP) and HTTPS access: SSL Termination (in the WDP), SSL Re-encryption and End-to-End SSL. This blog will present the third and last scenario.

Prerequisites

• SAP Web Dispatcher 7.20 or higher
• SAPCRYPTOLIB 5.5.5 patch level 24 or higher (in this blog pl 32 is used)

Profile parameters

The standard SSL configuration demands the following two parameters:

ssl/ssl_lib     = <path>\sapcrypto.dll

ssl/server_pse  = <path>\SAPSSLS.pse

As the WDP 7.20 or higher can connect to different systems, the following parameter was set:

wdisp/system_0 = SID=AAA, MSHOST=<FQDN1>, MSSPORT=44400, SRCSRV=webdispatcher.foo.bar:10000

The WDP will reach the message server from the backend through the HTTPS port 44400.

The server ports also must be defined:

icm/server_port_0 = PROT=ROUTER,PORT=10000

icm/server_port_1 = PROT=HTTPS,PORT=0

As the metadata exchange should be done via HTTPS, then the parameter below is set:

wdisp/server_info_protocol = https

At last, but not least, for testing purposes, the HTML dump into the trace will be enabled, along with a trace level 3. Important: the trace files will be HUGE! The parameters below should be set only for a quick test or for error analysis. The default trace level (i.e. 1) must be used in productive systems (and for security matters, the HTML dump should not be active).

icm/trace_secured_data = 1

rdisp/TRACE = 3

Checking the configuration

As soon as the profile file is saved, one can test the configuration by running:

sapwebdisp pf=sapwebdisp.pfl -checkconfig

No error message is expected (the result of the -checkconfig is the same as shown here)

The WDP is now ready to work!

Analyzing the scenario and the dev_webdisp trace file

One issue with this scenario is that the Web Application Server (WAS) will do the SSL handshake. The certificate sent to the web browser will have the CN from the WAS and not from the WDP! The web browser will see this and issue a warning:

In this scenario, the WDP serves as a router to the request. The entry found in the dev_webdisp shows:

"...

[Thr 6424] IcmWorkerThread: worker 3 got the semaphore

[Thr 6424] REQ TRACE BEGIN: 2/15/2

[Thr 6424] REQUEST:

    Type: READ_REQUEST    Index = 10995

[Thr 6424] CONNECTION (id=2/15):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 169, protocol: ROUTER(16)

    local host:  <WDP IP>:10000 ()

    remote host: <Client IP>:54828 ()

    status: READ_REQUEST

    connect time: xx.zz.yyyy aa:bb:cc

    backend host: <FQDN WAS>:443, nihdl: 177, ssl: 0, desc: 0000000002BB0790

    MPI request:        <6>      MPI response:        <7>  

request_buf_size:   0        response_buf_size:   0    

    request_buf_used:   0 response_buf_used:   0    

request_buf_offset: 0 response_buf_offset: 0    

..."

The actual communication can be found in the dev_icm trace file from the WAS (in this case, the trace level was already set to 3).

The connection from WDP to WAS:

"...

[Thr 3428] IcmWorkerThread: worker 20 got the semaphore

[Thr 3428] REQ TRACE BEGIN: 0/1552/1

[Thr 3428] REQUEST:

    Type: ACCEPT_CONNECTION    Index = 3156

[Thr 3428] CONNECTION (id=0/1552):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 250, protocol: HTTPS(2)

    local host:  <WAS IP>:443 ()

    remote host: <WDP IP>:56517 ()

    status: NOP

    connect time: xx.zz.yyyy aa:bb:cc

    MPI request:        <0>      MPI response:        <0>

    request_buf_size:   0 response_buf_size:   0

request_buf_used:   0        response_buf_used:   0

request_buf_offset: 0 response_buf_offset: 0

..."

The SSL handshake between the client and the server (WAS):

"...

[Thr 3428] ->> SapSSLSessionInit(&sssl_hdl=0000000002A0BE60, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

[Thr 3428] <<- SapSSLSessionInit()==SAP_O_K

[Thr 3428]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

[Thr 3428]     out: sssl_hdl = 0000000002D1D130

[Thr 3428] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D1D130, ni_hdl=250)

[Thr 3428] NiIBlockMode: set blockmode for hdl 250 TRUE

[Thr 3428]   SSL NI-sock: local=<WAS IP>:443  peer=<WDP IP>:56517

[Thr 3428] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D1D130, ni_hdl=250)==SAP_O_K

[Thr 3428] ->> SapSSLSessionStart(sssl_hdl=0000000002D1D130)

[Thr 3428] Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_R

[Thr 3428] Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_

[Thr 3428]   No Client Certificate

[Thr 3428]   Cached session resumed (TLSv1.0)

[Thr 3428]   HexDump of native SSL session ID { &buf= 0000000002C9D224, buf_len= 32 }

[Thr 3428] 00000: c6 7e ec f1 55 cb 9e 4c  d4 3d 34 08 78 ba 67 c3   .~..U..L .=4.x.g.

[Thr 3428]    00010: 01 36 ee 05 23 ea 98 5f  d8 fc 10 ac f2 29 49 4f   .6..#.._ .....)IO

[Thr 3428] <<- SapSSLSessionStart(sssl_hdl=0000000002D1D130)==SAP_O_K

[Thr 3428]          status = "resumed SSL session, NO client cert"

..."

The request is then read from the connection:

"...

[Thr 3428] IcmReadFromConn(id=0/1552): read 318 bytes, 1 readops (timeout 0)

[Thr 3428] Address Offset  IcmReadFromConn received

[Thr 3428]

[Thr 3428] 0000000007FF56D8 000000  47455420 2f736170 2f62632f 6775692f  GET /sap/bc/gui/

[Thr 3428] 0000000007FF56E8 000016  7361702f 6974732f 77656267 75692048  sap/its/webgui H

[Thr 3428] 0000000007FF56F8 000032  5454502f 312e310d 0a416363 6570743a  TTP/1.1..Accept:

...

[Thr 3428] 0000000007FF57D8 000256  0a486f73 743a2077 65626469 73706174  .Host: webdispat

[Thr 3428] 0000000007FF57E8  000272 63686572 2e666f6f 2e626172 3a313030 cher.foo.bar:100

[Thr 3428] 0000000007FF57F8 000288  30300d0a 436f6e6e 65637469 6f6e3a20  00..Connection:

[Thr 3428] 0000000007FF5808 000304  4b656570 2d416c69 76650d0a 0d0a      Keep-Alive....

..."

A few seconds later the WAS sends the response to the client:

"...

[Thr 3428] Address Offset  IcmWriteToConn:

[Thr 3428]

[Thr 3428] 0000000007FF56D8 000000  48545450 2f312e31 20323030 204f4b0d  HTTP/1.1 200 OK.

[Thr 3428] 0000000007FF56E8  000016 0a636f6e 74656e74 2d747970 653a2074 .content-type: t

[Thr 3428] 0000000007FF56F8 000032  6578742f 68746d6c 3b206368 61727365  ext/html; charse

..."

Finally, the thread is free to wait a new request:

"...

[Thr 3428] CONNECTION (id=1/1553):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 308, protocol: HTTPS(2)

    local host:  <WAS IP>:443 ()

    remote host: <WDP IP>:56518 ()

    status: READ_REQUEST

    connect time: xx.zz.yyyy aa:bb:cc

    MPI request:        <107a>   MPI response:        <107b>

request_buf_size:   0        response_buf_size:   0

request_buf_used:   0        response_buf_used:   0

request_buf_offset: 0 response_buf_offset: 0

[Thr 3428] REQ TRACE END: 1/1553/5

[Thr 3428] IcmWorkerThread: Thread 20: Waiting for event

..."

If the parameter "icm/trace_secured_data = 1" is not set, it is not possible to see the HTML content. The following log entry appears:

"…

BINDUMP of content denied

…"

So, the three usual SSL scenarios involving the web dispatcher are now available.

For more on the SAP Web Dispatcher, please access this Wiki page.

Each work process writes trace entries into dev_wXX files.

Each line comes from one of the different components, as listed in SAP note 112:

"...

A  ABAP Processor

B  Database (general database interface)

C  Database (DBSL)

D  Diag Processor

E  Lock Management (Enqueue)

F  Startup Framework (in AS Java)

G  Language Support/Internationalization (Unicode Conversion)

H  Internet Communication Framework (ICF)

I  Semaphore, Shared Memory (IPC)

J  VM Container (Java in AS ABAP)

L  Background (Batch)

M  Dispatcher/Taskhandler

N  Security

P  Paging

R  Rolling

S  Printing

T  Debug System

W  WebGui

X  Extended Memory

Y  Dynp Processor

..."

In some cases, e.g. a security issue involving logon (in other words: SSO failed), a SM50 logon trace (per SAP note 495911) might be required.

The information will be recorded in the trace files, but not only "N" messages ("N" represents Security entries in the trace).

How to separate the entries, so you don't need to go through all unnecessary components?

In the past I wrote one application that separated all the entries by the respective components, creating new files (one file per component plus one file for remaining entries).

In order to avoid using a graphic interface, I decided to pursuit a Powershell approach, with the same outcome.

The resulting PS script I am sharing here:

"...

$filename = $args[0];

$fileA = [io.path]::GetFileNameWithoutExtension($filename) + ".A-ABAP-Processor.txt";

$fileB = [io.path]::GetFileNameWithoutExtension($filename) + ".B-Database-(general-database-interface).txt";

$fileC = [io.path]::GetFileNameWithoutExtension($filename) + ".C-Database-(DBSL).txt";

$fileD = [io.path]::GetFileNameWithoutExtension($filename) + ".D-Diag-Processor.txt";

$fileE = [io.path]::GetFileNameWithoutExtension($filename) + ".E-Lock-Management-(Enqueue).txt";

$fileF = [io.path]::GetFileNameWithoutExtension($filename) + ".F-Startup-Framework-(in-AS-Java).txt";

$fileG = [io.path]::GetFileNameWithoutExtension($filename) + ".G-Language-Support-Internationalization-(Unicode-Conversion).txt";

$fileH = [io.path]::GetFileNameWithoutExtension($filename) + ".H-Internet-Communication-Framework-(ICF).txt";

$fileI = [io.path]::GetFileNameWithoutExtension($filename) + ".I-Semaphore,-Shared-Memory-(IPC).txt";

$fileJ = [io.path]::GetFileNameWithoutExtension($filename) + ".J-VM-Container-(Java-in-AS-ABAP).txt";

$fileL = [io.path]::GetFileNameWithoutExtension($filename) + ".L-Background-(Batch).txt";

$fileM = [io.path]::GetFileNameWithoutExtension($filename) + ".M-Dispatcher-Taskhandler.txt";

$fileN = [io.path]::GetFileNameWithoutExtension($filename) + ".N-Security.txt";

$fileP = [io.path]::GetFileNameWithoutExtension($filename) + ".P-Paging.txt";

$fileR = [io.path]::GetFileNameWithoutExtension($filename) + ".R-Rolling.txt";

$fileS = [io.path]::GetFileNameWithoutExtension($filename) + ".S-Printing.txt";

$fileT = [io.path]::GetFileNameWithoutExtension($filename) + ".T-Debug-System.txt";

$fileW = [io.path]::GetFileNameWithoutExtension($filename) + ".W-WebGui.txt";

$fileX = [io.path]::GetFileNameWithoutExtension($filename) + ".X-Extended-Memory.txt";

$fileY = [io.path]::GetFileNameWithoutExtension($filename) + ".Y-Dynp-Processor.txt";

$fileZ = [io.path]::GetFileNameWithoutExtension($filename) + ".remaining-entries.txt";

foreach ($line in [System.IO.File]::ReadLines($filename)) {

  if ($line.length -gt 2) {

    $a = $line.Substring(0,1);

    switch ($a) {

       "A" { Add-Content $fileA $line }

       "B" { Add-Content $fileB $line }

       "C" { Add-Content $fileC $line }

       "D" { Add-Content $fileD $line }

       "E" { Add-Content $fileE $line }

       "F" { Add-Content $fileF $line }

       "G" { Add-Content $fileG $line }

       "H" { Add-Content $fileH $line }

       "I" { Add-Content $fileI $line }

       "J" { Add-Content $fileJ $line }

       "L" { Add-Content $fileL $line }

       "M" { Add-Content $fileM $line }

       "N" { Add-Content $fileN $line }

       "P" { Add-Content $fileP $line }

       "R" { Add-Content $fileR $line }

       "S" { Add-Content $fileS $line }

       "T" { Add-Content $fileT $line }

       "W" { Add-Content $fileW $line }

       "X" { Add-Content $fileX $line }

       "Y" { Add-Content $fileY $line }

       default { Add-Content $fileZ $line }

    }

  }

}

..."

Just open a PowerShell box and run:

powershell -executionPolicy bypass -noexit -file "devwxx.ps1" "dev_w0.txt"

You can replace "dev_w0.txt" by the developer trace you want to parse. "devwxx.ps1" is the name of the file that contains the script.

If you have another PowerShell alternative to do the same task and are willing to share, please comment below.

Hello,

We installed a new sap system using system copy - export/import

Environment - oracle 10.2.0.4 on Win 2003, ECC6 EHP4 NW 7.01

background WPs are available, RZ04, RZ12, RFC group, SM21, rz10, all seem to be fine.

Job doesn't start, no job in sm37 for sgen. Tried both ways - single and all components.

Job has not been started yet:

Job Name: RSPARAGENER8

Job Status: does not exist

Anybody has any suggestions ?

Hi Basis Guys,

Currently I am working on Oracle 11G upgrade, for upgrade we need to upgrade current version from 10.2.0.2 to 10.2.0.5. OS is AIX and Db is oracle

I downloaded the guide for AIX with Oracle guide from SMP portal. But I could not find exact steps for upgrade from 10.2.0.2 to 10.2.0.5 That guide explains about only 11G upgrade only.

Can some one explain and share the Step by step procedure? Please help me

Thanks,

Sankar

Hi.

We want to upgrade one of our test server to NW 7.5 to test the new SAPUI 7.5 Libraries ans 1.32 Runtime.

For that the new SUM wants to have the DVD with the Label "NW750_MID" if someone knows where to find the media to download I would really appreciate it.

I already downloaded every single file in Netweaver 7.5 on SWDC.

Best regards.

Christoph