How To Change SAP Router Configuration File - Adding New Port

Scenario: 
SAP Global team unable to remote access your Solution Manager and require additional port to be configure on the SAP router configuration file.

Steps:

1) SAP Support team having problem to remote access the Solution Manager page (HTTP Access) for further remote support.

2) Initial finding shown the connection is ok.

3) Further finding shown, additional port required to be configure on the SAP router for HTTP access.

4) Sample of the configuration settings required.

5) To perform any changes on the SAP router configuration file, stop the SAProuter service.

6) Locate the "saprouttab" file (ex: c:/usr/sap/saprouter) and add the required ports.

7) Once the "saprouttab" changes complete, restart the "SAProuter" services.

8) SAP Global team should be able to remote access the page by now.

Solution Manager: EarlyWatch Alert - Fix for Common Timeout Error on Remote System

Scenario
Encounter timeout error on remote system that caused by the data collection of EarlyWatch Alert.

Relevant SAP Note
1247198 - /SDF.RSORADLD_NEW timeout
984955 - Timeout with selection of V$-Views
838725 - Oracle dictionary statistics and system statistics

Error found on the remote system
1) Sample error from "ST22"

2) Double click to view the details

3) To further investigate the error with "ST11" and locate the trace log that within the time range of the error occur

4) Double click to view the details and search for the activities that occur on the specific time frame

Solution:
1) Prerequisite to ensure the BRTools version: SAP BRTools Release 7.00 Build 15 onwards.

2) To check the BRTools version and update it if required

3) Execute BRCONNECT command to create Oracle dictionary statistics - BRCONNECT internally calls the two procedures GATHER_DICTIONARY_STATS and GATHER_FIXEC_OBJECTS_STATS.

Login with user: ORA<SID> and execute the command below and wait until it complete. It will take couple of minutes depends on the system resources. (brconnect -u / -c -f stats -t oradict_stats)

4) Monitor the process with OS command: "top" with another putty session

5)  Creating Oracle system statistics (NOWORKLOAD) using BRCONNECT
     (brconnect -u / -c -f stats -t system_stats)

6) Creating Oracle system statistics (WORKLOAD) using BRCONNECT
    (brconnect -u / -c -f stats -t system_stats -i <minutes>) - example of 1 minutes

7) That's all, observe the task next cycle or day to determine the error been resolve.

Authorization: Example of Resolving Solution Manager Monitoring Error - RFC_NO_AUTHORITY

Scenario
Encounter authorization error on remote system after setting up of Solution Manager system monitoring.

System used
1) Remote system that been monitor: QAS client: 688

Error found on the QAS
1) TCODE: ST22 showing the list of error

2) Double click for further details

3) Locate the user that been used for the RFC connection

Solution
1) Execute TCODE: ST01 to trace the missing authorization for the user used for the RFC connection.

2) Execute TCODE: SUIM to find the role that required additional settings and select Roles by Complex Selection Criteria

3) Select the relevant user and the filtering object: S_RFC

4) Sample role found and double click to modify the authorization data

5) Click the change button

6) Add the missing authorization

7) That's all and observe the log of the next cycle or day to confirm the RFC error no longer appear.

How to configure Single Sign On (SSO) between SAP GUI (backend system) and Portal (Front end)

How to bypass the second layer of login authentication when accessing portal from SAP GUI.

Scenario:
Once the SAP Solution Manager installation complete, access of "SOLMAN_WORKCENTER" through SAP GUI would require additional level of login authentication on all the portal features.

Example:

1) Additional authentication required

2) Portal login screen

3) Portal menu

This additional login level can be overcome with the integration of Single Sign On (SSO) by setting up a trusted relationship between the backend system and the portal.

Steps to configure the SSO integration between backend system and front end portal:

A) Front End: Export certificate from portal 

1) Login to Visual Administrator
    Refer to How to execute or run J2EE Engine Visual Administrator

2)  Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->  
     Entries: SAPLogonTicketKeypair-cert -> Click "Export" button

3) Save the file on the backend server (SAP system)

4) Enter filename. Ex: portal_sid_certificate.crt

B) Backend: Create a user "SAPJSF" 

1) Execute TCODE: SU01 -> display user: SAPJSF" (if user not exist create a new user, user type: system)

2) Assign roles "SAP_BC_JSF_COMMUNICATION" and "SAP_BC_USR_CUA_CLIENT_RFC"

3) Check "icm/host_name_full parameter" been configured correctly in Default profile

4) Execute TCODE: RZ10 to ensure parameter for "login/accept_sso2"_ticket and "login/create_sso2_ticket" are ready or create it if necessary

5) Select Instance profile

5) Click "Extended maintenance" and "Change" button

6) If the 2 parameters not available, Click the "Parameter" icon to create it

7) Enter Parameter name: login/accept_sso2_ticket, Parameter val: 1 and click "Copy" button

8) Enter Parameter name: login/create_sso2_ticket, Parameter val: 2 and click "Copy" button

9) Make sure the parameters are correct

10) Save the profile

11) Restart the SAP system

12) Restart with sapmmc

 13) Click "OK:

14) Wait for the reboot

C) Backend: Import the front end certificate created earlier

1) Execute TCODE: STRUSTSSO2

2) Click "Certificate" -> "Import"

3) Click 'Binary" and Select the portal certificate created earlier

4) Click the "tick" button

5) Click "Allow"

6) Certificate imported successfully

7) Click "Add to certificate list and continue clicking on the "Add to ACL" button

8) Enter System ID: J2E, Client: 000

9) New entry created at the Logon ticket section

10) Click "Save" button

D) Backend: Export certificate

 1) Click the "Export" button

2) Select "Binary" and enter filename ex: abap_back end_certificate.crt (to be import into front end server)

3) Click "OK"

E) Front end: Create a JCo RFC provider 

1) Execute TCODE: SMGW and mark down the LU Name, TP Name

2) Select Cluster: Server -> Services -> JCo RFC provider -> Runtime tab -> Bundles tab ->
     Registered server
     Enter Program Id: sapj2ee_port, Gateway host: LU Name, Gateway service: sapgw00,
     Server Count (1..20): 1

3) Click Repository: Specify Application Server
    Enter: Application server host: LU Name, System number: 00 (according to the relevant SAP system),
    Client: 000 (according to the relevant SAP system), Language: EN, User: SAPJSF,
    Password: master password created during installation or password reset for user: SAPJSF
    Click "Set" button

F) Front end: Add back end to security providers list

1) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
    Components: ticket
    Click the "Pencil" button to switch to edit mode  

2) Select Authentication tab -> "com.sap.security.core.server.jaas.EvaluateTicketLoginModule"
    Click Modify" button

3) Enter the following details:
    Name: ume.configuration.active, Value: true
    Name: trustedsys1, Value: SID,Client number
    Name: trustediss1, Value: CN=SID
    Name: trusteddn1, Value: CN=SID
    Click "OK" button

4) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
    Components: evaluate_assertion_ticket
    Select Authentication tab -> "EvaluateAssertionTicketLoginModule"
    Enter the following details:
    Name: ume.configuration.active, Value: true
    Name: trustedsys1, Value: SID,Client number
    Name: trustediss1, Value: CN=SID
    Name: trusteddn1, Value: CN=SID
    Click "OK" button
    Click Modify" button

G) Front end: Import the backend certificate 

1) Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->  
     Entries: SAPLogonTicketKeypair-cert -> Click "Load" button

2) Select the "abap_back end_certificate.crt" that created from the backend system

3) The certificate imported successfully

4) Click "Yes" to exit the Visual Administrator

5) Restart the SAP system with sapmmc

H) Backend: Create and test the RFC connection

1) Execute TCODE: SM59 -> Select "TCP/IP Connection" -> Click "Create" icon

2) Enter RFC Destination: RFC_TO_PORTAL, Connection Type: T, Program ID: sapj2ee_port

3) Enter Gateway host = LU Name, Gateway service: sapgw00

4) Save and test the connection

5) Connection is ready

I) Login to portal

1) Execute TCODE: SOLMAN_WORKCENTER

2) The second layer authentication login screen will be bypass

3) That all for the SSO integration between backend system and front end portal

Error importing Front end: Import the backend certificate (section G)

1) Sample error appear during the import process

2) Rename the filename to a shorter filename

3) The import of the certificate will be successful