Saturday 21 December 2013

Introduction and how to configure SAP Web GUI

To eliminate the extensive support of SAP GUI maintenance and upgrade on user PCs, the SAP Web GUI would provide an alternative solution to avoid all the support hassle and attractive benefit of zero installation.

A) Introduction on the SAP GUI family:

1) Web / HTML GUI: 
- Suitable for users who work with SAP transactions but don't require the performance of a native GUI
- Runs within standard browsers on Windows, Linux, MacOSX, iPad or Android browsers.
- Not getting the performance of an natively running software
- User may encounter usability limitations that caused by the browser framework
- Requires ITS in your SAP landscape to render pages

2) Windows / Java GUI: 
- native high performance
- Requires local installation of the solution.
Requires Java Plug-In on the client side (Java GUI)
- Have to worry about the software installations, upgrades, etc

B) Steps to setup the SAP WEB GUI

1) Verify the ICM configuration parameters. Execute TCODE: SMICM

2) Click "Goto" -> "Parameters" -> "Display"

3) Ensure the parameter: icm/server_port_0 = HTTP,PORT=<Desired port ex:8000>, ........

4)  Ensure the parameter: icm/host_name_full = <Full Qualified Domain Name/FQN>

4) Execute TCODE: SICF, click the "execute" button

5) Select the following node and active the services:
- /default_host/sap/bc/gui/sap/its/webgui
- /default_host/sap/public/bc/ur
- /default_host/sap/public/bc/its/mimes

Right click the selected node and click "Activate Service"

6) Click "Yes"

7) Execute TCODE: SIAC_PUBLISH_ALL_INTERNAL (wait few minutes to activate the publishing services)

 8) The progress will be shown in the status bar

9) Once the progress complete, a information screen will be shown.

10) Login with one of the following URL from the web browser
- http://<IP>:8000/sap/bc/gui/sap/its/webgui
- http://<FQN>:8000/sap/bc/gui/sap/its/webgui

 11) The login splash screen
 12) The SAP Web GUI main menu

13) Sample login screen with iPad

C) Troubleshoot:

1) Problem: The required icm parameters not found
    Solution: Execute TCODE: RZ10 to add the parameter to the profile 

2) Problem: How to check the FQN 
    Solution: View the "C:\Windows\System32\Drivers\etc\hosts" file 
                  (depends on windows configuration, some might not be available and could be added manually)

3) Problem: Error "Session not found" when executing TCODE in SAP Web GUI after login

Solution: Execute TCODE: SICF_SESSIONS and select the client to be access by Web GUI

Double click the state to activate it and retry the login again.

4) Problem: How to ensure the Web login connection details
    Solution: By using the sapmmc (windows), select the connections icon under the ICM for more details

D) Conclusion 
That all for the configuration and in the end, it's all depends on the environment and on the type of users whether to use pure native GUI or Web GUI or even mixture of it.

Tuesday 3 December 2013

Forcing a transport between system with different patch level

Scenario: TR to be transport between system with different software version. Ex: DEV server been patch with latest SP while QAS server still pending for upgrade and running on lower SP.

Steps to force the TR:

1) Example: DEV with higher software version compare to QAS

2) Transport the TR with STMS

3) Click "Yes" button to start the TR 

4) Error will occur due to software version conflict

5) Click the "Question Mark" for further details

6) Re-run the transport again. Click "Yes" button

7) Click the "Options" tab and select the option: "Ignore Invalid Component Version". Probably you might need to select the rest of the options as well.

8) Click the "Yes" button

9) The TR is running

10) The TR complete with the status showing "Does not match component version"

11) Review the TR import log for further details

12) The TR successful transport between system

13) Don't forget to check the configurations / changes / roles / ABAP program etc whether it's been transported successfully into the target system.

Sunday 27 October 2013

Compare the customizing settings between the 2 systems/clients with SCU0

There might be times you want to compare the customizing settings between 2 systems/clients. Example when some transactions are behaving differently between systems/clients and you are suspecting that some of the customizing is missing from one of them.

TCODE: SCU0 offers a flexible way to perform comparison include by selecting exactly which parts of the IMG (Implementation Guide) that require to be compared and also allows comparison results to be stored for later use and reference.


1) Execute TCODE: SCU0, in this example we'll try compare with the option "All Components", Click "Create" button

2) Select the relevant RFC connection to the target system/client (Reference: What is RFC)

3) Click "Total Comparison in Background" button. Enter the description and once the comparison is ready, user would be able to display the result at any time with the Comparison run ID assigned.

4) Select the relevant background server

5) Click "Immediate" button and the "Check" button

6) Click the "Save" button to begin the comparison process.
 7) Execute TCODE: SM37 to verify the background job is running

8) Click the "Display" button to view the comparison result even it still in the mid of processing. Ensure the correct Comparison run ID.

9) Example the logon client:001 contains 254 entries in the table whereas the comparison client"000 there are no entries in the table at all

10) Click the "Statistics" button to shown the relevant status and the details of the object type

11) Click the "Legend" button to shown more information

12) This is a useful tool that helps to solve problems quicker by making quick comparisons of customizing across various clients and/or systems to identify possible missing or erroneous of customizing.

Thursday 26 September 2013

Administration: Code to enable the edit option for parameter change (RZ11)

The update option to perform parameter change with TCODE: RZ11 is not available by default.

Steps on how to re-activate the hidden edit option.

1) Execute TCODE: RZ11

2) The editable option for parameter change is not available

3) Enter "int" to enable the hidden edit button

4) The "edit" option appear for parameter change

5) Perform the changes and click save to update the new parameter value

How to configure Single Sign On (SSO) between SAP GUI (backend system) and Portal (Front end)

How to bypass the second layer of login authentication when accessing portal from SAP GUI.

Once the SAP Solution Manager installation complete, access of "SOLMAN_WORKCENTER" through SAP GUI would require additional level of login authentication on all the portal features.


1) Additional authentication required

2) Portal login screen

3) Portal menu

This additional login level can be overcome with the integration of Single Sign On (SSO) by setting up a trusted relationship between the backend system and the portal.

Steps to configure the SSO integration between backend system and front end portal:

A) Front End: Export certificate from portal 

1) Login to Visual Administrator
    Refer to How to execute or run J2EE Engine Visual Administrator

2)  Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->  
     Entries: SAPLogonTicketKeypair-cert -> Click "Export" button

3) Save the file on the backend server (SAP system)

4) Enter filename. Ex: portal_sid_certificate.crt

B) Backend: Create a user "SAPJSF" 

1) Execute TCODE: SU01 -> display user: SAPJSF" (if user not exist create a new user, user type: system)


3) Check "icm/host_name_full parameter" been configured correctly in Default profile

4) Execute TCODE: RZ10 to ensure parameter for "login/accept_sso2"_ticket and "login/create_sso2_ticket" are ready or create it if necessary

5) Select Instance profile

5) Click "Extended maintenance" and "Change" button

6) If the 2 parameters not available, Click the "Parameter" icon to create it

7) Enter Parameter name: login/accept_sso2_ticket, Parameter val: 1 and click "Copy" button

8) Enter Parameter name: login/create_sso2_ticket, Parameter val: 2 and click "Copy" button

9) Make sure the parameters are correct

10) Save the profile

11) Restart the SAP system

12) Restart with sapmmc

 13) Click "OK:

14) Wait for the reboot

C) Backend: Import the front end certificate created earlier


2) Click "Certificate" -> "Import"

3) Click 'Binary" and Select the portal certificate created earlier

4) Click the "tick" button

5) Click "Allow"

6) Certificate imported successfully

7) Click "Add to certificate list and continue clicking on the "Add to ACL" button

8) Enter System ID: J2E, Client: 000

9) New entry created at the Logon ticket section

10) Click "Save" button

D) Backend: Export certificate

 1) Click the "Export" button

2) Select "Binary" and enter filename ex: abap_back end_certificate.crt (to be import into front end server)

3) Click "OK"

E) Front end: Create a JCo RFC provider 

1) Execute TCODE: SMGW and mark down the LU Name, TP Name

2) Select Cluster: Server -> Services -> JCo RFC provider -> Runtime tab -> Bundles tab ->
     Registered server
     Enter Program Id: sapj2ee_port, Gateway host: LU Name, Gateway service: sapgw00,
     Server Count (1..20): 1

3) Click Repository: Specify Application Server
    Enter: Application server host: LU Name, System number: 00 (according to the relevant SAP system),
    Client: 000 (according to the relevant SAP system), Language: EN, User: SAPJSF,
    Password: master password created during installation or password reset for user: SAPJSF
    Click "Set" button

F) Front end: Add back end to security providers list

1) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
    Components: ticket
    Click the "Pencil" button to switch to edit mode  

2) Select Authentication tab -> ""
    Click Modify" button

3) Enter the following details:
    Name:, Value: true
    Name: trustedsys1, Value: SID,Client number
    Name: trustediss1, Value: CN=SID
    Name: trusteddn1, Value: CN=SID
    Click "OK" button

4) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
    Components: evaluate_assertion_ticket
    Select Authentication tab -> "EvaluateAssertionTicketLoginModule"
    Enter the following details:
    Name:, Value: true
    Name: trustedsys1, Value: SID,Client number
    Name: trustediss1, Value: CN=SID
    Name: trusteddn1, Value: CN=SID
    Click "OK" button
    Click Modify" button

G) Front end: Import the backend certificate 

1) Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->  
     Entries: SAPLogonTicketKeypair-cert -> Click "Load" button

2) Select the "abap_back end_certificate.crt" that created from the backend system

3) The certificate imported successfully

4) Click "Yes" to exit the Visual Administrator

5) Restart the SAP system with sapmmc

H) Backend: Create and test the RFC connection

1) Execute TCODE: SM59 -> Select "TCP/IP Connection" -> Click "Create" icon

2) Enter RFC Destination: RFC_TO_PORTAL, Connection Type: T, Program ID: sapj2ee_port

3) Enter Gateway host = LU Name, Gateway service: sapgw00

4) Save and test the connection

5) Connection is ready

I) Login to portal


2) The second layer authentication login screen will be bypass

3) That all for the SSO integration between backend system and front end portal

Error importing Front end: Import the backend certificate (section G)

1) Sample error appear during the import process

2) Rename the filename to a shorter filename

3) The import of the certificate will be successful