Author: saptechnicalguru

SAP interfacing: REST

The SAP ABAP stack can also interface using REST protocol. To support this interface protocol SAP has developed special classes in the ABAP stack.

Questions that will be answered in this blog are:

  • How do I create a REST interface in ABAP stack?
  • How do I test a REST interface in ABAP stack?
  • Which tools to use to developer REST interface?

REST in ABAP

SAP delivers in the ABAP netweaver stack the ABAP REST library. The full specification can be found on the SAP help portal. The help portal also contains a small tutorial. Next to the pre-delivered REST library classes there are no tools for you available to faster develop REST in ABAP. It is coming down to SE24 and SE80.

Good reference blog is the SAP blog on usage of REST in Netweaver 7.4. This also explains the generic REST architecture implementation in ABAP.

Creating REST service in ABAP

We will create a simple Hello World REST service in ABAP. There are 2 main classes in REST ABAP: the application class handling the URL and the resource class where the logic is.

Start transaction SE24 and create a new class inheriting from the SAP delivered class CL_REST_HTTP_HANDLER:

important here to press the inheritance button! Fill out CL_REST_HTTP_HANDLER as superclass:

It is mandatory to redefine the GET_ROOT_HANDLER method:

For now just leave the method empty. Save and generate.

Now create the REST resource class based on inheritance of CL_REST_RESOURCE:

Now redefine the GET method:

No we add a simple implementation by simply adding the text ‘Hello World’:

Save and activate this class.

Now we go back to the previous class: the application class. In here we now edit the GET_ROOT_HANDLER implementation we left empty earlier:

If the URL is getting the input /hello then the handler class (our resource class) ZCL_HELLO_WORLD_RES_REST is called. This class will return the string.

Save and activate again. The coding work is done.

Runtime implementation

Now we need to make a runtime implementation. Goto transaction SICF and select the main node default_host first. Then select from the menu Service/Host the option Create Service:

Fill out the name of the service and click ok. In the next screen give a description and in the Handler List section refer to the application class ZCL_HELLO_WORLD_REST:

Save the service. The service is created but not active. To activate right click on the service and select Activate:

Testing the service

From the previous SICF screen right click the service again and select the option Test Service. A screen will come that says “No suitable resource found”. Now modify the URL by adding /hello after the test in the URL, and press enter again:

The URL build up: the test is the name defined in SICF. The /hello was defined in the application class.

Authorizations and security

The REST library has no specifics about authorization and security. So you have to take care your self.

Business authorization security: has to be built in via AUTHORITY-CHECK statements at the correct spots.

Technical security is provided in the Logon Data tab on the SICF node. Here you can set requirements for the technical logon method and if you only allow https.

REST versus ODATA

ODATA is based on REST and has more features. If you have a choice, you best use ODATA. ODATA exposing is described in this blog.

In SAP REST is supported, but you have to code a lot, and limited tools are available. For ODATA much more development and monitoring tools are available.

SAP interfacing: ODATA

In the previous blog we have setup RFC enabled function module. If you want to expose this function module as ODATA service you can use the wizard in transaction SEGW. This blog assumes the basis ODATA basis activation has been performed (see this blog).

Questions that will be answered in this blog are:

  • How do I generate an ODATA service based on a RFC function module?
  • How do I test if the ODATA service is properly working?

Set up of the ODATA service

Start transaction SEGW and create a new project:

Now start the RFC import wizard by right clicking on Data Model and selecting the option Import and then RFC/BOR interface:

Now select the data parameters:

And enter which field is key field:

After pressing finish the wizard will generate the needed classes.

Save your work and press the check button to validate if everything is ok:

Now we need to map the implementation to the RFC module. Right click on the GetEntitySet below ZODATADEMOENTITYSet and select Map to Data Source:

Now map the fields (you can use drag and drop):

Now you need to map the data fields correctly and press check.

Save your work.

Generation of objects

You can see that the Runtime Artifacts section is still empty.

Now press the button Generate Runtime Artifacts:

Wait for the generation to finish:

Now the runtime artifacts are generated, but the service maintenance is not done yet. Open the section Service maintenance and double click on the system:

Now press the Register Service button:

Accept settings and assign package for transport:

Now the registration status is green.

Testing the ODATA service

Press the button SAP Gateway Client (or start transaction /IWFND/GW_CLIENT directly, and then enter the correct service):

The test client starts:

Enter the correct inputdata: /sap/opu/odata/SAP/ZODATADEMO_SRV/ZODATADEMOENTITYSet(‘1’)

And check the output:

Attention points

The example above seems simple, but you will face more issues in real live implementation when you need to add tables and more complex structures. In those cases additional configuration and many times extra coding in the methods of the generated classes is required.

Nice blogs to start with:

ODATA security

The user calling the ODATA service needs a special right in SAP to be allowed to call the ODATA service.

Start transaction PFCG and create a new role. On the menu tab select the option Authorization Default. Then select type Tadir and object type IWSV gateway business suite enablement. Now you can finally search for our own developed and activated ODATA service:

Now save the role and assign it to the user(s) needing to call this ODATA service.

The application security relies on the function security authorization check inside the RFC function module.

ODATA V2 and V4

SAP is now moving from ODATA V2 towards ODATA V4. Read more on ODATA V4 activation in this blog.

SAP interfacing: consuming web services

In the previous blog we have exposed a web service. Now we will show how to consume a web service in ABAP. As example we will consume the web service we exposed in the previous blog. This blog assumes you have configured the basic web service SOAP runtime (if not, read this blog).

Questions that will be answered in the blog are:

  • How to generate a web service consumption proxy?
  • How to setup SOAMANAGER for web service consumption?
  • How to test the web service consumption setup in SE80?
  • How to use the generated web service consumption proxy in ABAP code?
  • What are the authorisation and security aspects for web service consumption?

Generating web service consumption proxy

Start in SE80 by exporting the WSDL file from your previously generated webservice. Goto the WSDL tab and press export to save the WSDL file locally:

In SE80 in your package select Enterprise Services and right click on it to create a new service:

In the object type screen select Service Consumer:

Now select External WSDL/schema:

Select local file:

Select the local file:

Select the package, transport and use Z as prefix:

Then select Finish to complete the roadmap.

Wait for the system to compile the software:

Save and Activate. Now the design time proxy is ready.

SOAMANAGER settings

In the previous steps we have setup the design time proxy. Now we add the runtime artefacts as well.

Now goto transaction SOAMANAGER:

Select Web Service Configuration, and search for the newly created design time object:

Click on the blue internal name to reach the configuration screen:

On the screen press Create and then manual configuration:

Give the logical port a name and description and mark the logical port is Default tickbox to true. Then continue with the roadmap.

Now fill out user ID and password. Continue and fill out user ID and password:

You can lookup the access URL from the service defined in the previous blog and check on the transport settings tab:

Do not use the WSDL URL address, but the binding URL!

Now fill out the URL details in the next screen.

Now finish the roadmap. And on this screen hit the ping web service test button to check if all is ok:

The design time artefacts can be transported. The SOAMANAGER settings need to be repeated in each system. This is wanted as well, since on a test system you might want to call a test web service URL and on production the same web service from the production URL.

Testing the web service consumption setup

Now go back to SE80 and test the web service consumption:

Select the port you created above in SOAMANAGER:

Edit the data:

And press test to get the results:

Using the web service consumption proxy in ABAP code

Now we are ready to use the web service consumption proxy in our ABAP code. ABAP code example:

*&---------------------------------------------------------------------*
*& Report ZCONSUMEWS
*&---------------------------------------------------------------------*
*&
*&---------------------------------------------------------------------*
REPORT zconsumews.

* Data Declarations
DATA: zcl_proxy TYPE REF TO zco_zbapidemowebservice, " Proxy Class
      zdata_in  TYPE zzbapidemo, " Proxy Input
      zdata_out TYPE zzbapidemoresponse, " Proxy Output
      zfault    TYPE REF TO cx_root. " Generic Fault

* Instantiate the proxy class providing the Logical port name
CREATE OBJECT zcl_proxy EXPORTING logical_port_name = 'ZDEMOWS'.

* Set Fixed Values
zdata_in-zimport = '1'.

TRY .
    zcl_proxy->zbapidemo( EXPORTING input = zdata_in
                          IMPORTING output = zdata_out ).
    WRITE: / zdata_out-zexport.
  CATCH cx_root INTO zfault.
* here is the place for error handling

ENDTRY.

Run the ABAP and see the result:

How to get the right parameters? All the required structures can be found on the SE80 ABAP web service consumption proxy internal view:

Authorizations

The end users using the ABAP that is consuming the web service must be given the rights for the correct S_SERVICE object. Otherwise they will get an error that they are not authorized to call the proxy service object.

Monitoring the availability of the web service

It was explained you can test the connection. Unfortunately there is no out of the box way to test this connection in a batch job on a frequent basis. If you want to frequently test and be alerted on issues with connection to the web service, you can read this blog to deploy a simple custom program that executes this function and can be planned in the background.

Background notes and blogs

More information and details can be found in these 2 SAP wiki’s: wiki1 and wiki2.

Relevant OSS notes:

SAP interfacing: exposing web services

In the previous blog we have created a test RFC module. We now will expose this test RFC module as web service. This blog assumes the basic SOAP web service runtime has been done according to the manual in this blog.

If you are looking for information on how to consume a web service in the ABAP stack: read this blog.

Questions that will be answered are:

  • How can I generate a web service design time based on an RFC module?
  • How do I activate the web service runtime via SOAMANAGER?
  • How do I test my web service?

Creating the web service based on RFC module

Goto transaction SE80 and search for the test BAPI:

Now right click on the name ZBAPIDEMO function module and select the option Create / Enterprise Service:

Fill out the name for the service definition and the description. Press Cont. to continue to the next screen:

Press Cont to go to the next step:

Press Cont. to go to the next screen:

Fill out your package and transport request. 

Important here: on a sandbox you might want to use a local object ($TMP). In a development system, NEVER use the local option. A lot of data structures and coding will be generated. If you later try to move the objects from $TMP to a real package, you will be faced with a lot of issues. See note  886682 - Proxy inconsistencies on the use of repair programs SXIVERI_PROXY_HASHID_CHECK and SXIVERI_PROXY_HASHID_CHECK_70. After the cumbersome and painfull repair you will not make the mistake again...

Press Cont. to goto the last screen:

On the screen you can already see the next action after completion: SOAMANAGER. But first press Complete to start the generation of the objects.

After the generation, do not forget to Activate the objects!

Activation success message:

Setting up the runtime with SOAMANAGER

To setup the runtime, start transaction SOAMANAGER. It is assumed that the basis team has performed the initial SOAP runtime setup. If not done, ask the basis team to follow the steps in this blog.

On the SOAMANAGER start screen choose the option Web Service Configuration:

In the next screen search for the design time object we created and activated in the previous section (if you forgot the activate, you will not find it now…):

Select the service and on the next screen press the button Create Service:

Fill out the definition details:

Press Next and define the security settings:

Remark: in the newer versions, the default security is set to high. If you need lower security, go back to SE80 definition in the tab configuration to change the security profile (save and regenerate!):

Press next and define the SOAP protocol settings:

On the last screen of the wizard press finish:

Wait for the runtime generation to finish.

The screen returns to the generated runtime artifacts:

The most important artifact is WSDL file which you can open from here.

Testing the service

Go to transaction SE80 and select the Enterprise Services Browser (if not visible go to menu path Utilities/Settings and add the tool):

Now open your service by clicking the Open Object button and search for the service in the second tab:

Check that the WSDL file is properly showing:

If ok, press the test button (F8) to start the test tool:

On the next screen first press the XML editor button to allow the content to be changed:

Now press execute to test. The result:

Web service security

The functionality security of the web service is the same as for the generic RFC handling (see blog on this).

The technical security of web services is mainly driven from the security settings in SOAMANAGER. There you can set the transport protocol security and you can indicate if you want simple user ID / password security or work with additional certificates for server to server authentication.

The user calling the SAP web service must have the authorization object S_SERVICE. In S_SERVICE you can define the specific web service it needs to be able to call.

Troubleshooting web services security issues

For troubleshooting web services note 2321968 – SOAP Web Service Security Troubleshooting refers to a very extensive SAP site for web service security issues troubleshooting.

Monitoring web services

For monitoring web services, read this dedicated blog.

SAP interfacing: RFC

SAP has many different ways to interface. The RFC (Remote Function Call) protocol is one of the most wide used.

This blog will explain best practices around secure and correct setup of custom built ABAP RFC function modules.

Questions that will be answered are:

  • How to setup RFC enabled function module?
  • How to setup proper RFC error handling?
  • How to setup security in RFC enabled function module?
  • How strict is the S_RFC authorization handling?
  • Why is SAP_ALL not sufficient for RFC handling?

Creation of test RFC enabled function module

In SE37 you can setup an RFC enabled function module just like a normal function module. First create a function group. Activate that function group in SE80. Now you can create the function module. We will call our test module ZBAPIDEMO:

Important here in the first tab is to set the processing type to Remote-Enabled Module.

For testing we setup import and export tabs:

Important here with RFC: set the Pass by value tickbox.

For tables use a suitable table type:

And setup the correct exceptions:

Here you can see 2 very important error messages that should always be implemented:

  1. An extra authorization check
  2. An error message when no data is found

Now we can implement the following simple source code:

   DATA: zls_coms_gen_textline TYPE coms_gen_textline.
 
   AUTHORITY-CHECK OBJECT 'S_CDMC'
   ID 'CDMC_AREA' FIELD 'A'
   ID 'CDMC_ROLE' FIELD 'U'.
   IF sy-subrc EQ 0.
 
     CASE zimport.
       WHEN 1.
         zexport = 'Hello world'.
       WHEN 2.
         zls_coms_gen_textline-entry = 'Hello world table 1'.
         APPEND zls_coms_gen_textline TO ztable.
         zls_coms_gen_textline-entry = 'Hello world table 2'.
         APPEND zls_coms_gen_textline TO ztable.
       WHEN OTHERS.
         RAISE not_found.
     ENDCASE.
 
   ELSE.
     RAISE not_authorized_business.
   ENDIF.

What is important here in this source code:

  1. The authorization check is implemented and raises an error
  2. If no data is found the NOT_FOUND error is raised

With the SE37 test suite you can test diverse scenario’s now.

Calling RFC function module from another ABAP system

If you call this RFC function module form another ABAP sytem you have to make sure you have set and check the following exceptions:

  exceptions

      not_authorized_business = 1

      not_authorized          = 2

      system_failure          = 3

      communication_failure   = 4

      not_found               = 5

      OTHERS                  = 6.

There are 2 exceptions from the BAPI definition:

  1. NOT_FOUND (nothing found)
  2. NOT_AUTHORIZED_BUSINESS (our own implemented business authorization check)

4 exceptions should be implemented as part of the RFC framework:

  1. NOT_AUTHORIZED: this is the RFC authorization, which will be explained next chapter
  2. SYSTEM_FAILURE: the coding has caused a dump and the system returns and error message (see OSS note 2484377 – Error Message: “RFC Exception SYSTEM_FAILURE Raised; No More Memory Available to Extend an Internal Tab” Upon Executing a Data Extraction Run as an example)
  3. COMMUNICATION_FAILURE: the call to the other system fails. Most likely if you go to SM59 to the RFC destination and perform a connection test you will get a failure.
  4. OTHERS: something else went wrong

The developer should take proper care of these error situations. 

Dear ABAP developers: the basis team member are also humans. They will make RFC configuration errors, they rely on the authorization team to assign the correct roles and they rely on infrastructure providers to make sure systems are up and running. Also the basis team will need to perform patching and upgrades to the system, which you as ABAP developer, are calling. So please don't blame the basis team for these exceptions, but please be a good developer and implement proper error handling. If you didn't implement proper error handling, and something went wrong on basis side, that caused your code to go wrong, think twice before putting blame on basis if your code is not handling the situation properly.

For reference: OSS note 1371131 – Correct error handling of RFC calls.

Security of RFC calls

Security of RFC calls is consisting of 2 layers:

  1. The RFC layer
  2. The business application code

You should always implement both layers!

The RFC layer is protected by authorization object S_RFC:

Here you can choose between a function group or even allowing per function module. Personally I would protect by function module. Background: create, change and display BAPI’s will normally be developed inside same function group.

There is a common misunderstanding that if you give SAP_ALL to a (background) user, this would solve the RFC authorization issues. This is not true. SAP_ALL does not contain the S_RFC rights. You have to hand them out separately.

Best practice 1: you might want to start with broad authorizations at the beginning of a development to rule out authorization issues. But you must definitely limit the rights before you make the development go productively live.

Best practice 2: as first statement inside each and every RFC function module, program a relevant business authorization check statement. This is an extra safety measure that is needed to protect important business data from authorization consultants that have handed out * authorizations in object S_RFC (* means all).

Best practice 3: check in transaction SM59 that the RFC callback protection is activated. Read this blog how a hacker can easily misuse if not properly setup.

Best practice 4: be careful on the RFC setup to avoid that hackers misuse the RFC jumping option. Read more in this blog.

More on checking the basis RFC security: read this blog.

Generic S_RFC check handling at basis level

The behavior of the S_RFC check is driven by the settings of RZ11 profile parameter auth/rfc_authorithy_check. Please make sure it has a setting of 6 or higher. Best is 9. A system with 5 or lower can be considered as insecure!

Background OSS note: 2216306 – S_RFC check and profile parameter auth/rfc_authority_check.

Setting up trusted RFC connections

Set up of trusted RFC connections are explained in this blog.

RFC performance

Check if you can use the RFC fast serialization option. This option is available for a lot of modern SAP systems. It is not activated by default. Read more on the fast serialization option in this blog.

Running SCI and ATC on standard SAP and add-ons

SCI and ATC are very powerful code scanning tools (see blog and blog). Unfortunately you cannot apply it to standard SAP and add-ons.

Analyzing standard SAP code is the responsibility of SAP, and they take good and secure code (since they provide good code, it is weird they don’t allow everybody to scan their code…). Unfortunately a lot of add-on providers do not.

The blog will explain how to scan code of standard SAP and mainly on add-ons.

Questions that will be answered are:

  • What is the background on not being able to scan standard SAP and add-on code?
  • Can I truly scan the code of a new OSS note 7 days?
  • How can I work around these restrictions and still scan the code of an add-on?

Background

The background of not being able to scan standard SAP code is explained in OSS note 1986391 – Using SLIN/SCI to check SAP standard objects. This note also explains you can scan OSS notes and transports for 7 days. After that time it is no longer possible. Unfortunately this rule also applies to add-ons.

Why run SCI on add-ons?

Why would you want to scan add-ons? Add-ons come with various quality levels. Ranging from very well written with much attention to performance and security. Some add-ons are full of performance issues and full of security leaks. Some are even allowing full dynamic read SELECT and UPDATE statement without any authorization check. This is heaven for a hacker!

The below method is meant for scanning these poor add-ons using the SCI tool for performance, robust coding and security.

ATC checks on non-SAP addons

First apply OSS note 2215288 – ABAP Test Cockpit: Analyzing Objects Using Arbitrary Prefix Namespaces.

For ATC checks, now run program SATC_AC_INIT_NAMESPACE_REG to add the namespace as registered for ATC.

See note 2439348 – SATC_AC_INIT_NAMESPACE_REG list is empty, if you get empty list.

See OSS notes: 2141202 – FAQ – ATC/CI: Analysing Objects with Custom Prefix Namespace ‘/MYSPACE/’ and 2313169 – ATC checks and ABAP Unit tests for objects in producer namespaces not possible

How to run SCI on SAP standard?

When you run the SCI tool on an add-on by selecting package or development object, you get the message that it does not contain any objects:

This is because your selection is first scanned for standard SAP and add-on objects. These are removed. So the result set is empty.

Goto transaction SE24 and select class CL_CI_OBJECTSET. Now select method BUILD_TADIRSET and display the code:

Put a break-point as statement if ENABLE_CI ne ‘X’.

Now start the SCI tool again. If the debugger stops at this statement, use debug and replace to change the content of ENABLE_CI to ‘X’. Now the skipping of SAP and add-on objects is not done. SCI will scan the code. It will still not use SLIN. But these are minor checks.

Bug fix OSS notes

Bug fix notes:

Load balancing settings

Larger productive systems have multiple application servers to spread the workload. But if the system is not configured properly one application server can be overloaded while others are almost idle. This blog will explain the load balancing settings.

Questions that will be answered are:

  • How can I check my current load balancing situation?
  • How can I load balance SAP GUI users?
  • How can I load balance SAP to SAP RFC traffic?
  • How can I load balance external system to SAP RFC traffic?
  • How can I load balance qRFC traffic?
  • How can I load balance batch jobs?
  • How can I load balance web traffic?
  • How can I load balance workflows?
  • How can I configure MRP parallel processing settings?
  • How can I configure load balancing for TMS transport system (STMS)?
  • How can I validate if load is properly balanced?

How to make parallel processing settings

Parallel processing settings are explained in this blog.

How to check current situation of load balancing

You can start transaction AL08_OLD (in older systems AL08) to get an overview of the distribution of your logged on users and how they are spread over the application servers:

Load balancing for GUI logon

With transaction SMLG you can setup logon groups that can be used for SAP GUI logon and RFC logon. In the details of each logon group you can make dedicated settings:

The Fav.Typ setting indicates the load balancing mechanism (round robing, best performance, weighted round robin). Set Ext RFC-enabled to also do load balancing in this group for external RFC calls.

You can set limits per application server on response time and amount of users. This limit is not a hard limit, but a soft limit to influence the quality calculation. The setting is per application server and it is across the logon groups (you cannot make settings per logon group). The background of these limits is explained in OSS note 118093 – Concepts of defining ‘limits’ in logon load balancing and on the SAP wiki page.

In SMLG you can choose menu option Goto / Load distribution to get an overview of the current load distribution and quality:

A higher quality number means it has the best quality. New users that logon will be routed to this server if you have set the SMLG settings to Best Quality.

Relevant OSS notes:

RFC traffic load balancing for SAP to SAP connections

For SAP to SAP connections using RFC you have to set the load balancing to Yes in SM59 and fill out the proper message server and logon group details:

RFC traffic load balancing for external system to SAP connections

Many external systems connect to SAP via the SAP JCO connector. The JCO connector can do load balancing, if configured properly. The problem here is that the developers form the other application using JCO have no idea on the settings to be made. The other problem is that on a development system the settings are typically pointing to one server only and the basis team did not configure load balancing. Now suddenly in production (or in a quality environment) they have to switch to load balanced settings using different parameters.

The parameters settings to be made are explained in:

Tips for basis team:

  • Also setup the logon group in development system and assist the external team with the needed settings. The best way is that the external team uses load balancing settings from the start in development as well
  • Setup extra application server in quality landscape to test load balancing

RFC server group

With transaction RZ12 you can setup RFC server groups that also can be used for load balancing purposes.

RFC load balancing for qRFC

If you use qRFC (this is used for example in the CIF interface to SCM and EWM), then you need to configure the RFC group (settings made in RZ12) in transactions SMQS and SMQR. See blog on qRFC.

Web traffic load balancing

For web traffic load balancing, you have to set up the SAP web dispatcher. In the SAP web dispatcher you can configure to which back-end application servers to use.

Batch job load balancing

Batch job load balancing can be done by setting up batch job server groups in transaction SM61. See this blog.

Workflow load balancing

For workflow load balancing read OSS note 888279 – Regulating/distributing the workflow load.

Inbound Idoc processing load balancing

Inbound idoc processing program RBDAPP01 has an option for parallel processing:

Make sure you apply OSS note 3167309 – Delay in IDoc processing when using RBDAPP01 report (and 3142563 – Parallel processing in RBDAPP01, 3064890 – ALE: Endless loop during IDoc processing).

MRP run parallel processing

The MRP run (material requirements planning) is a very intensive process from the system perspective and very important from business perspective. It is important that the MRP run finishes in time, but is also should not overflow the system by occupying all work processes and CPU. In this customizing action you can defined the MRP run parallel processing settings:

Now you can assign the specific application servers that the MRP run is allowed to use in parallel and the maximum amount of work process it can use:

For background on MRP parallel processing settings, read OSS note 568593 – FAQ for parallel MRP: MD01, MS01, MD40, MDBT – Number of parallel planning processes in OMIQ, settings, server load, and so on.

There is also specific MRP tool now available. Not related to parallel processing, but is can help you in technical optimization of the MRP run. See blog.

Load balancing for GRC access control SOD risk analysis

View V_TBANK_PP_DISTR (via tcode S_GF1_13000059) determines the load balancing for GRC access control SOD risk analysis:

Load balancing TMS transport system (STMS)

OSS note 943334 – TMS setup in high-availability systems describe the enabling of load balancing via logon group SPACE for TMS via program TMS_MGR_LOADBALANCING. A different logon group is not possible via this program.

User measurement load balancing

User management transaction USSM can cause significant load on the system. Apply OSS note 3028252 – USMM2: Background Jobs Lastverteilung and the settings to have the user measurement program jobs load balanced.

How to validate correct load balancing?

To check if load balancing has done its job, go to transaction ST03, and open the section Load History and Distribution, Instance comparison, then the time frame:

Check that the load is evenly distributed among the application servers. The central instance will off course have a different load profile.

Troubleshooting OSS notes and blogs

The following OSS notes can be useful for troubleshooting:

Useful background blogs:

Workflow tips & tricks

SAP workflow is used for many different business scenarios. This blog will give tips and tricks for the basis part of SAP workflow.

Questions that will be answered in this blog are:

  • How can I send a reminder email to the workflow owners?
  • How to check how many items in the inbox a user has?
  • How to delete the items in the inbox of a user?
  • How to delete the items in the outbox of a user?
  • How can I terminate workflow(s) as administrator?
  • How do I execute general workflow activation?
  • Where can I find more FAQ and manuals on workflow?
  • How to solve workflow transport issues?
  • How can I add a general task to a transport?
  • How can I setup forwarding of workflow as admin?
  • How can I check if a user has setup a substitution?
  • How can I restart workflows?
  • What to check in case of delays in workflow?
  • How can I trigger workflow processing again after a system crash?
  • How to solve the Workflow error “maximum number of 10,000 nodes reached” error?

Workflow FAQ note

SAP has created an excellent FAQ note: 2214571 – Collection Note: Workflow troubleshooting guides, FAQs and important notes. This is a good starting point for find solutions to workflow issues.

Sending reminder email to workflow owners

Program RSWUWFML2 can be used to send reminders to workflow owners that they still have open workflow items:

It is important to know that only reminders will be send in mail if the workflow owner user ID’s mail address in maintained in SU01.

Important explanation OSS note:

Important bug fix OSS notes:

Changing the message subject of the reminder mail

To change the message subject of a mail, create a new message in SE91. Example is class Z_CUSTOM message 010 with text: “Gentle reminder of workflow”. Now put in field message class for subject field the name of your class (Z_CUSTOM) and the message number in message number for Subject:

Changing the body of the message of the reminder mail

Goto transaction SE61 and select text type Text in Dialog. First the default text SWU_NOTIF_INBOX:

Now use the copy button to copy the text to a Z text. For example Z_SWU_NOTIF_INBOX. Change the text as per you requirement and activate the text.

Now you can use this new text in the workflow reminder mail program:

SAP workflow inbox

Using transaction SOY5 or via program RSSOINBO you can get an overview of the amount of workflow items per user:

Via program RSSOINBD you can delete the inbox of a user:

Removing work items from user inbox

There are many ways to remove work items from and end users inbox: 2382266 – How to remove work items from user’s Inbox.

Removing work items from user outbox

To delete expired items from the users outbox, run program RSSOEXDA: 2774728 – Remove entries from user Outbox.

Changing priority of a work item

To change priority of a work item in SBWP follow the instructions in OSS note 2863528 – How to change the priority of a work item from SBWP.

Terminating workflows as administrator

Start transaction SWIA:

In the second screen select all the items you want to terminate and use menu option Edit / Work Item / Logically Delete. The workitem will now to status CANCELLED. Then they can be archived (see blog).

See also OSS note 2422812 – How to delete workflow item from inbox and OSS note 1705866 – “Logically Delete” for a large number of work items.

For execution of mass logical deletion in SWIA, you must select all items and in the command area enter ADMC as command and press enter:

Or select all and choose menu option Edit/Work Item/Logically Delete.

Please note: mass cancellation is possible. Mass completion not. Only via ABAP code (read this blog for the custom code which performs this). See OSS note 2650820 – Mass complete work items manually.

Restarting workflows

Transaction SWPR can be used to restart a workflow:

When there was a system crash transaction SWPC can be used to continue workflows:

Bug fix note: 3270257 – Multiple selection value help does not work for input field “Multistep task” in transaction SWPC.

How to find top level ID for a workflow item?

To find the top level for a workflow, follow the instructions in OSS note 3277360 – How to find the Top-Level work item ID of a workflow.

Reducing size of workflow tables

Workflow tables start with SWW. They can grow very large in a productive environment. For analysis see blog. For deletion and archiving see blog.

For workflow from idocs specifically, read OSS note 1813141 – How to delete unnecessary workitems of IDoc processing.

Specific note: 2847116 – SWF_TRC_CONT table huge growth.

Deleting workflow trace can be done via program RSWEQDELETE (see note 2162503 – Deleting trace records from Workflow tables).

Basic workflow activation in a new system

For activating workflow in a new system or after an S4HANA upgrade, please read this dedicated blog.

Delays in workflow

When you are experiencing delays in workflow, read OSS note 2146408 – Delay in executing a Workflow. Also check OSS note 888279 – Regulating/distributing the workflow load for load balancing on workflows.

Transport issues with workflow

Workflow development objects can give some issues in transports, since not all objects are immediately put into a transport upon development.

If you have set a workflow task to general and want to transport it, use program RHMOVE30 to put it into a transport. For more background read this SAP blog.

Substitution and forwarding

Using transaction SBCS_EXTCOM you can setup forwarding for a user ID towards different user ID as admin. This might be needed in case of illness of a user:

In the third tab of this transaction you can see if a user has setup a substitution himself.

Workflow error “maximum number of 10,000 nodes reached”

If you get this error, increase the value Maximum node number in transaction SWPA:

Do not just increase, but read OSS note 2397114 – Workflow error “maximum number of 10,000 nodes reached”, which advices to check the workflow definition, before increasing this value.

Use report RSWP_CHANGE_MAX_NODES to solve your immediate issue.

Workflow delegation and substitution

SAP workflow has options for delegation and substitution (for example when person is on holiday). Read more on this in the SAP wiki for substitution.

Workflow and system copy

After a system copy, check the workflow configuration again. See OSS note 3227538 – Workflow background steps are not getting completed after system copy.

Data archiving: store files in SAP content server

With data archiving you reduce the database size of SAP and increase the performance by reducing the amount of records in the SAP tables. The data archiving process write files with the archived data. These files must still be stored securely, since on file level any admin can delete the files and you might loose valuable business data.

This blog explains the setup of storage of data archiving files by using SAP content server as storage medium.

Questions that will be answered are:

  • How do I setup the link from SAP netweaver ABAP stack to the SAP content server?
  • Which settings do I need to make in the archiving objects to store the archiving file to SAP content server?
  • How do I store the files in the SARA transaction?

General tips and tricks for SAP content server can be found in this blog.

Setup of SAP content server 7.5 information can be found in this blog.

How to setup archiving technically can be found in this blog.

How to run archiving can be found in this blog.

Linking the SAP Netweaver ABAP stack to SAP content server

First we need to maintain a special protocol in customizing using this path:

Create a new protocol:

This protocol can now be assigned to the SAP content server you want to use for storing the data archiving files. Go to transaction OAC0 to link the protocol to your content server:

If the field protocol is not visible immediately there, click the button Full administration first.

Data archiving object specific linking

After the steps above to make the general connection to content server available, the content server needs to be explicitly mentioned in each data archiving object. For any data archiving object (start transaction SARA first and select the object), click on the customizing button:

In the popup screen now select Technical Settings in Archiving Object-Specific Customizing:

At the bottom fill out the content server repository and decide if you want to start automatically or immediately:

Remark 1: the F4 search help does not work here! Key in the value directly and check using the check button. Then save the data.
Remark 2: always tick the option Delete Program Reads from Storage System. This forces that the archive file is securely stored first, before the deletion run is allowed to start.

Use of archive routing

If you have a lot of archiving data and a lot of years of archiving done, it can be needed to set up a second or third content server.

With the use of Archive Routing you can determine in which content server to store which archive files.

On the SARA screen push the customizing button and select Archive Routing:

Now set up a rule:

And the conditions of the rule:

Storing archive files in SARA

After the configuration is done the new button Storage system appears on the screen in the SARA transaction for this specific object:

If the button does not appear: check the technical settings above, and remember: this is to be repeated for each object.

Storing files that have been written by the Write phase of the data archiving process can now be stored by pressing the Archive Files button:

Select the file(s) to store:

Now a batch job starts (per file!) to store the archive file into the SAP content server.

After correct storage of the file, the file can be selected in the delete phase.

SAP content server 7.5

SAP has released content server 7.5. Content server can be used to store attachments, documents and archiving files outside of the SAP database.

Questions that will be answered in this blog are:

  • Where can I find more information on SAP content server 7.5?
  • How to upgrade to SAP content server 7.5?
  • What is the support on my SAP content server 6.5 installations?

SAP content server 7.5

The main OSS note for SAP content server 7.5 is 2786364 – SAP Content Server and Cache Server 7.5 (and higher). This is a major different technology setup: there is no Apache or Microsoft webserver needed any more. The content repository setup itself does not change.

For installation you can follow the instructions from the main OSS note, or follow the steps from the SAP blog on content server 7.5 installation.

Upgrading from 6.5 to 7.5

As mentioned before the technology has changed on how data is put into content server and how it is retrieved, but the data structure itself is the same. Note 2786364 – SAP Content Server and Cache Server 7.5 (and higher) is also describing the migration process. Your database (most of the times MaxDB) remains as is. But you have to install new 7.5 content server. Then you migrate the configuration. You stop the old 6.5 server and start up the new 7.5 server. You test that all works via the content server check programs from this blog (you might need to perform changes in transaction OAC0). SAP recommends after successful migration to clean up the old 6.5 as soon as possible to avoid issues (like an overzealous admin starting it up again…).

Support of SAP content server 6.5

In the main OSS note on SAP content server 6.5 (1983930 – Availability of SAP Content Server 6.50) there is no direct indication of end of support date. SAP content server 6.50 is part of the Netweaver 7.40 stack. The support of this stack ends by 31st of December 2020.

See also OSS notes 761387 – SAP Content Server support information and 719971 – SAP Content Server release strategy.

Before raising SAP message, first read OSS note 3345452 – SAP Content Server – required information for analysis on the information SAP needs for a quick solution to your issue.

Changes to test programs

The content server test programs (for example RSCMST) can respond differently with the new content server. SAP is updating these. For more information see the blog on content server tips & tricks.

Content server license

For using content server from SAP using MaxDB no special licenses is needed. See OSS note 2553449 – Does the SAP Content/Cache Server require a separate license?.

Exit mobile version