The SAP key mechanism is broken.
You can use this site SAP Tools – Your One-Stop Solution for SAP Troubleshooting to generate any developer key, SSCR key, maintenance key, license key.
Needless to say: use is at own risk!
SAP tools for keys
Author: saptechnicalguru
SAP BTP availability
SAP BTP is the new wave of SAP services which are running in the Cloud managed by SAP.
The technology involved in these services is in many cases a further development of a Netweaver stack or HANA database. They are not always cloud native developed.
While you are used that Google, Amazon and Microsoft cloud services are (almost) always available, SAP BTP has some steps to make. It already improved the last few year.
For the services you want to use the planned SLA maintenance windows are published by SAP here:
Maintenance Windows and Major Upgrade Windows for SAP Cloud Services
As example:
The product HANA cloud has Zero down-time maintenance and up to 4 times per year max 4 hours outage.
The product “SAP HANA service for SAP Business Technology Platform, enterprise edition” has each maintenance window of 4 hours.
Other example: ABAP stack;
Up to 24 hours maintenance 4 times per year.
These outages planned by SAP cannot be stopped (nor should they be). It is your job to check with your company and the business process to be supported, if you can deal with the planned outages. If your availability needs are lower then using SAP BTP is fine. If you needs are higher than the SLA from SAP, you need to reconsider.
ABAP dictionary check
In some cases you need to check the entire system for inactive objects.
For this you can use program RUTMSJOB (transaction S_SLN_44000018):
Select the checks and schedule the jobs with the button.
With the job overview you can see the running status:
When completed you can use the Results button:
By clicking on the glass icon, you can list the results of items that are not ok.
Other potential programs
Other potential programs are these ones:
DD_REPAIR_TABT_DBPROPERTIES, see OSS notes
- 3223149 – DDIC: checking technical settings of all tables with report DD_REPAIR_TABT_DBPROPERTIES)
- 3300154 – Dump DDIC_COMPTYPE_INCONSISTENT
- 3416211 – Report DD_REPAIR_TABT_DBPROPERTIES is missing in the system.
RUTCONSCHECK and RUTCHKNT, see OSS note:
OAUTH call from ABAP
OAUTH can be called from custom ABAP. The explanation is given in this formal SAP help file. But it is quite complex.
In the example program below we will use OAUTH to call SAP BTP CPI.
First in SE80 we create a OAUTH client profile named ZOAUTH_CLIENT_PROFILE_CPI:
Then the rest of the ABAP coding is according to the SAP help file, including the error handling on issues you might face.
*&--------------------------------------------------------------------*
*& Report Z_CALL_API_USING_OAUTH
*&--------------------------------------------------------------------*
*&
*&--------------------------------------------------------------------*
REPORT z_call_api_using_oauth.
PARAMETERS:
zp_url TYPE string LOWER CASE
DEFAULT 'https://apimanagement.eu10.hana.ondemand.com/v1/api/hc/xxx/call_name',
zp_sslid TYPE strustssl-applic DEFAULT 'ANONYM',
zp_profl TYPE oa2c_profiles-profile DEFAULT 'ZOAUTH_CLIENT_PROFILE_CPI',
zp_confg TYPE oa2c_client-configuration DEFAULT 'ZOAUTH_CLIENT_PROFILE_CPI'.
CONSTANTS:
BEGIN OF zgcs_create_return,
argument_not_found TYPE sy-subrc VALUE 1,
plugin_not_active TYPE sy-subrc VALUE 2,
internal_error TYPE sy-subrc VALUE 3,
others TYPE sy-subrc VALUE 4,
END OF zgcs_create_return.
START-OF-SELECTION.
" oData: restrict to two entries returned, via url
DATA(zgv_api_url) = |{ zp_url }?$top=2|.
cl_http_client=>create_by_url( EXPORTING url = zgv_api_url
ssl_id = zp_sslid
IMPORTING client = DATA(zlo_http_client)
EXCEPTIONS argument_not_found = zgcs_create_return-argument_not_found
plugin_not_active = zgcs_create_return-plugin_not_active
internal_error = zgcs_create_return-internal_error
OTHERS = zgcs_create_return-others ).
CASE sy-subrc.
WHEN zgcs_create_return-argument_not_found.
MESSAGE 'Argument not found when trying to create http client instance' TYPE 'E'.
WHEN zgcs_create_return-plugin_not_active.
MESSAGE 'Plugin not active for creation of http client instance' TYPE 'E'.
WHEN zgcs_create_return-internal_error.
MESSAGE 'Internal error when trying to create http client instance' TYPE 'E'.
WHEN zgcs_create_return-others.
MESSAGE 'Generic error when trying to create http client instance' TYPE 'E'.
ENDCASE.
zlo_http_client->propertytype_logon_popup = zlo_http_client->co_disabled.
TRY.
DATA(zgo_oauth_client) = cl_oauth2_client=>create( i_profile = zp_profl
i_configuration = zp_confg ).
CATCH cx_oa2c_config_not_found.
MESSAGE 'OAuth 2.0 Client Configuration not found' TYPE 'E'.
CATCH cx_oa2c_config_profile_assign.
MESSAGE 'OAuth 2.0 Client Config - Unassigned Profile' TYPE 'E'.
CATCH cx_oa2c_kernel_too_old.
MESSAGE 'OAuth 2.0 Client - Kernel too old' TYPE 'E'.
CATCH cx_oa2c_missing_authorization.
MESSAGE 'OAuth 2.0 Client missing authorization' TYPE 'E'.
CATCH cx_oa2c_config_profile_multi.
MESSAGE 'OAuth 2.0 Client Config - Profile assigned multiple times' TYPE 'E'.
ENDTRY.
" Set oAuth token to the http client
TRY.
zgo_oauth_client->set_token( io_http_client = zlo_http_client
i_param_kind = if_oauth2_client=>c_param_kind_header_field ).
CATCH cx_oa2c_at_not_available
cx_oa2c_at_expired.
" When setting the token fails, first try and get a new token
TRY.
zgo_oauth_client->execute_cc_flow( ).
CATCH cx_oa2c_badi_implementation.
MESSAGE 'OAuth 2.0 Client BAdI Impl. Error' TYPE 'E'.
CATCH cx_oa2c_not_supported.
MESSAGE 'Not supported by Service Provider.' TYPE 'E'.
CATCH cx_oa2c_not_allowed.
MESSAGE 'OAuth 2.0 Client Runtime - Not Allowed' TYPE 'E'.
CATCH cx_oa2c_prot_http_failure.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - HTTP Failure' TYPE 'E'.
CATCH cx_oa2c_prot_other_error.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Other Error' TYPE 'E'.
CATCH cx_oa2c_prot_unexpected_code.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Unexpected Code' TYPE 'E'.
CATCH cx_oa2c_prot_http_forbidden.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - HTTP 403 - Forbidden' TYPE 'E'.
CATCH cx_oa2c_prot_http_not_found.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - HTTP 404 - Not Found' TYPE 'E'.
CATCH cx_oa2c_server_error.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Server Error' TYPE 'E'.
CATCH cx_oa2c_temporarily_unavail.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Temporarily Unavailable' TYPE 'E'.
CATCH cx_oa2c_unsupported_grant_type.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Unsupported Grant Type' TYPE 'E'.
CATCH cx_oa2c_unauthorized_client.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Unauthorized Client' TYPE 'E'.
CATCH cx_oa2c_invalid_scope.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Invalid Scope' TYPE 'E'.
CATCH cx_oa2c_invalid_grant.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Invalid Grant' TYPE 'E'.
CATCH cx_oa2c_invalid_client.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Invalid Client' TYPE 'E'.
CATCH cx_oa2c_invalid_request.
MESSAGE 'OAuth 2.0 Client Runtime Protocol - Invalid Request' TYPE 'E'.
CATCH cx_oa2c_invalid_parameters.
MESSAGE 'OAuth 2.0 Client Runtime - Invalid Parameters' TYPE 'E'.
CATCH cx_oa2c_secstore_adm.
MESSAGE 'OAuth 2.0 Client Runtime - SecStore Administration' TYPE 'E'.
CATCH cx_oa2c_secstore.
MESSAGE 'OAuth 2.0 Client Runtime - Secstore' TYPE 'E'.
CATCH cx_oa2c_protocol_exception.
MESSAGE 'OAuth 2.0 Client Runtime - Protocol Exception' TYPE 'E'.
ENDTRY.
" Set oAuth token to the http client
TRY.
zgo_oauth_client->set_token( io_http_client = zlo_http_client
i_param_kind = if_oauth2_client=>c_param_kind_header_field ).
CATCH cx_oa2c_at_not_available.
MESSAGE 'oAuth 2.0: Acces token not available' TYPE 'E'.
CATCH cx_oa2c_at_expired.
MESSAGE 'Access Token has expired.' TYPE 'E'.
CATCH cx_oa2c_at_profile_not_covered.
MESSAGE 'Access token has expired.' TYPE 'E'.
CATCH cx_oa2c_not_supported.
MESSAGE 'Not supported by Service Provider.' TYPE 'E'.
CATCH cx_oa2c_badi_implementation.
MESSAGE 'OAuth 2.0 Client BAdI Impl. Error' TYPE 'E'.
CATCH cx_oa2c_secstore.
MESSAGE 'OAuth 2.0 Client Runtime - Secstore' TYPE 'E'.
CATCH cx_oa2c_invalid_parameters.
MESSAGE 'OAuth 2.0 Client Runtime - Invalid Parameters' TYPE 'E'.
CATCH cx_oa2c_icf_error.
MESSAGE 'Unknown error received from ICF.' TYPE 'E'.
ENDTRY.
CATCH cx_oa2c_at_profile_not_covered.
MESSAGE 'Access token has expired.' TYPE 'E'.
CATCH cx_oa2c_not_supported.
MESSAGE 'Not supported by Service Provider.' TYPE 'E'.
CATCH cx_oa2c_badi_implementation.
MESSAGE 'OAuth 2.0 Client BAdI Impl. Error' TYPE 'E'.
CATCH cx_oa2c_secstore.
MESSAGE 'OAuth 2.0 Client Runtime - Secstore' TYPE 'E'.
CATCH cx_oa2c_invalid_parameters.
MESSAGE 'OAuth 2.0 Client Runtime - Invalid Parameters' TYPE 'E'.
CATCH cx_oa2c_icf_error.
MESSAGE 'Unknown error received from ICF.' TYPE 'E'.
ENDTRY.
" From here on handle the http client for the API interaction
zlo_http_client->request->set_version( if_http_request=>co_protocol_version_1_0 ).
DATA(zlo_rest_client) = NEW cl_rest_http_client( io_http_client = zlo_http_client ).
" Get data from API
TRY.
zlo_rest_client->if_rest_client~get( ).
" Collect response received from the REST API
DATA(zli_response) = zlo_rest_client->if_rest_client~get_response_entity( ).
DATA(zgv_http_status_code) = zli_response->get_header_field( `~status_code` ).
DATA(zgv_status_reason) = zli_response->get_header_field( `~status_reason` ).
DATA(zgv_response_data) = zli_response->get_string_data( ).
" Record the response of the interface
IF zgv_http_status_code BETWEEN 200 AND 299.
" Success
MESSAGE 'Call was succesful' TYPE 'S'.
ELSE.
MESSAGE 'Call failed' TYPE 'E'.
ENDIF.
WRITE / 'Response'.
WRITE / zgv_response_data.
" Issues with REST client must not lead to a short-dump
CATCH cx_rest_client_exception INTO DATA(zlx_rest_client).
IF zlx_rest_client->if_t100_message~t100key IS NOT INITIAL.
DATA zlv_message TYPE string.
MESSAGE ID zlx_rest_client->if_t100_message~t100key-msgid
TYPE 'E'
NUMBER zlx_rest_client->if_t100_message~t100key-msgno
WITH zlx_rest_client->if_t100_message~t100key-attr1
zlx_rest_client->if_t100_message~t100key-attr2
zlx_rest_client->if_t100_message~t100key-attr3
zlx_rest_client->if_t100_message~t100key-attr4.
ELSE.
MESSAGE 'Rest client Exception' TYPE 'E'.
ENDIF.
ENDTRY.
zlo_http_client->close( ).
Security Services Tools
SAP offers on GitHub some extra Security Service Tools. These are custom Z ABAPs you can download and modify to your needs.
Link to GitHub:
Interesting programs from Security Service Tools
Some highlights from the Security Service Tools page:
- Extensive cleanup program for weak hashes (including the password history data)
- Workload statistics of RFC calls
- Show SNC status of active users on application server
- Show RFC gateway and logging settings
- History of dynamic profile parameters
- ….
- Many more
SAP Focused Run LMDB and landscape management
SAP Focused Run LMDB is a great source of technical information. Especially with the new graphical view.
In SAP Focused Run LMDB is now part of Landscape Management.
LMDB administration (up to FRUN5.0)
With the LMDB administration page you can see the LMDB status:
Green is ok:
If not green, check the status for needed actions.
LMDB object maintenance
The LMDB Object Maintenance tile can be used to maintain a single LMDB entry:
Now select the system on the LMDB search screen:
And then push the button Display to go to the details:
On the left side you can choose a specific view on the system, like software, database, technical instances etc. If you click on the left side, the right side will show the details.
LMDB tools and graphical overview
The LMDB tools offer a graphical overview. First open the LDMB tools FIORI tile:
In Focused Run 5.0 there is a new tile for this:
Then select the technical system (in Focused Run 5.0 the main overview opens, and you need to select the technical systems on the left):
Now press the blue Hierarchy button to go to the graphical overview (in FRUN 5.0 simply click on the blue system name):
On the left is the graphical decomposition. On the right the details per object selected on the left side.
FRUN 5.0 landscape management
In Focused Run 5.0 there is a new tile replacing the LMDB and called Landscape Management:
The start page is an overview of all your systems and its status:
The other LMDB functions are still present on the left side of the screen.
API for LMDB
The SAP Focused Run LMDB has an API. For more details, read this blog.
LMDB updates
The LMDB updates are triggered automatically. This behavior can be changed in certain situations or even totally switched off. Read more on this SAP Focused Run export portal page. See also OSS note 3376303 – Support switch for disabling Agent deployments triggered by LMDB events for older versions.
Data archiving: customer and vendor master data
This blog will explain how to archive customer and vendor master data via objects FI_ACCRECV and FI_ACCPAYB. Generic technical setup must have been executed already, and is explained in this blog.
Most use of this archiving is when customers and vendors are created wrongly, to get them deleted from the system.
The below is mainly focusing on traditional ECC system. In S4HANA system both customers and vendors are integrated as business partners. For archiving sections of business partners for customer and / or vendors, read OSS note 3321585 – Archiving for Business Partner and Customer / Suppliers.
If you also want to archive/delete the LFC1 and KNC1 tables, also implement the FI_TF_DEB and FI_TF_CRE archiving objects.
Object FI_ACCRECV (customers)
Go to transaction SARA and select object FI_ACCRECV (customers).
Dependency schedule:
A lot of dependencies. Everywhere a customer number is used in an object. This makes it almost impossible to archive a customer master record. But still: it can be done to delete wrongly created master data if no transaction data is created yet.
Main tables that are archived:
- KNA1: General customer master data
- KNB1: Company code specific customer master data
Object FI_ACCPAYB (vendors)
Go to transaction SARA and select object FI_ACCPAYB (vendors).
Dependency schedule:
Quite some dependencies. Everywhere a customer number is used in an object. This makes it almost impossible to archive a vendor master record. But still: it can be done to delete wrongly created master data if no transaction data is created yet.
Main tables that are archived:
- LFA1: General vendor master data
- LFB1: Company code specific vendor master data
Technical programs and OSS notes
Write program customers: FI_ACCRECV_WRI
Delete program customers: FI_ACCRECV_DEL
Write program vendors: FI_ACCPAYB_WRI
Delete program vendors: FI_ACCPAYB_DEL
Relevant OSS notes:
- 788105 – Archiving FI_ACCRECV
- 882390 – Archiving FI_ACCPAYB: Standardization
- 2408798 – FI_ACCPAYB & FI_ACCRECV: Vendors & Customers that are not blocked are considered for deletion
- 2475865 – SARA: Archive Infostructure missing for archiving objects FI_ACCRECV and FI_ACCPAYB
- 2646216 – FI_TF_CRE / FI_TF_DEB: Totals Records are not archived if an entry exists only in LFC3/KNC3
- 2659133 – FI_TF_CRE : Snapshot does not work
- 2660240 – FI_TF_DEB & FI_TF_CRE: Error while determining BOR Keys
- 2873484 – FI_ACCPAYB_WRI : Archiving of vendor master data cuts log output of MM data
- 3080001 – FI_TF_DEB, FI_TF_CRE: Incomplete Object details in the logs
- 3016433 – FI_TF_CRE and FI_TF_DEB Archive Infostructure
- 3224712 – FI_ACCPAYB: BOR Keys are not determined correctly during deletion step
- 3321585 – Archiving for Business Partner and Customer / Suppliers
- 3300696 – Links to customer/supplier destructed instead of being archived
- 3434562 – Archiving Customer/Vendor roles in S4HANA
- 3470982 – Links to customer/supplier destructed instead of being archived-2
- 3501525 – Vendor Master Archiving (FI_ACCPAYB) does not check SD/LE partner
- 3525699 – LAST_CHANGE_DATE is provided as one of the time reference(part II)
Application specific customizing
There is no application specific customizing for customer and vendor archiving. You can use XD06 for customer master deletion flag setting and XK06 for vendor master deletion flag setting.
Executing the write run and delete run Customers
For customers: in transaction FI_ACCRECV select the write run:
Important is the consideration of the validation links and the deletion indicator. Customer deletion indicator flag can be set with transaction XD06.
Select your data, save the variant and start the archiving write run.
There is a sequence inconsistency. The online help has sequence FI, SD, general. The OSS note 788105 - Archiving FI_ACCRECV has sequence SD, FI, general.
You have to do the run three times: for FI, SD and general.
Deletion run is standard by selecting the archive file and starting the deletion run.
Executing the write run and delete run Vendors
For customers: in transaction FI_ACCPAYB select the write run:
Important is the consideration of the validation links and the deletion indicator. Vendor deletion indicator flag can be set with transaction XK06.
Select your data, save the variant and start the archiving write run.
You have to do the run three times: for FI, MM and general. A sequence is not given in OSS note, nor in online help.
Deletion run is standard by selecting the archive file and starting the deletion run.
Load balancing analysis tool
With SAP note 3515065 – Load Balancing Analysis, SAP delivers a new load balancing analysis tool.
Prerequisites
There are 2 prerequisites for the new load balancing analysis tool to work:
- Install OSS note 3515065 – Load Balancing Analysis
- Make sure snapshot monitoring is active (read this blog on activation)
Running the tool
To start the tool go to transaction SE38 and start program /SDF/RSLOADANALYSIS.
Selection screen:
Select the date range you want to analyze. The delta factor is normally 10 but bit too low. Increase it for more realistic result. This is factor to conclude if balancing is ok or not. Only 10% difference from average is too idealistic.
Output screen has 3 parts.
The first part is the load balancing analysis.
An overview is given on batch server groups, logon groups and RFC server groups. You can see which groups are defined, and how they are distributed over the application servers.
The second part is the work process analysis part.
Here you can see how load is distributed over the application servers using the snapshot monitoring statistics. The central instance can be excluded from the load balancing and hence show as ‘not balanced’.
The third part is host machine data.
Here you can see if the servers are having equal CPU power and memory. If no data for a sever: check in ST06 if it is configured properly.
It can be that CPU and memory are identical, but that older infrastructure was used. Then the CPU and mem look the same, but there can still be significant difference in CPU speed and memory speed. To rule this out, run the ABAPMETER tool.
SAP GUI for slow or remote network
Sometimes SAP users are far away from the server. There is much latency. For a global SAP system this is unavoidable. In some cases there might be a remote location you need to support which has a slow and/or low bandwidth connection.
In that case you best setup the SAP GUI to use
Default is as above. For low speed users, ask them to select the Low Speed Connection.
Some minor usability functions will be lost (see OSS note 161053 – Use of SAP GUI in WAN – SAP for Me):
- No enhanced search
- SAP GUI scripting might fail
- Paging in long lists
But overall, the performance gain will outweigh normally these minor setbacks.
SAP help file: reference.
/SDF/SMON_DISPLAY to display snapshot monitoring data
The snapshot monitor tool is capturing a lot of good data. Displaying it can be bit harder. Here is where the /SDF/SMON_DISPLAY is helping.
Generic OSS note for this display is: 3210905 – Display Snapshot Monitor Data.
Setting link to plotly upfront
Before /SDF/SMON_DISPALY is working, you have to set a link to the plotly library. You can do this for all users, or for your personal user by setting a SU3 parameter:
Using /SDF/SMON_DISPLAY
Simply start transaction /SDF/SMON_DISPLAY:
Fill out the measurements you want to see. And the last n minutes. Automatically the results are shown in a separate window:
Extra enhanced functions
Extra functions are released in new OSS notes: