If you are having performance issues, of if you have done intensive data archiving or technical cleanup in your system running on Oracle, you need to consider the Oracle statistics. Without proper statistics the performance of your system will be sub-optimal or even bad.
Questions that will be answered in the blog are:
How to run Oracle index statistics update?
How to use the update as part of technical cleanup?
Oracle index statistics update
To run the Oracle index statistics update, go to transaction SE38 and start program RSANAORA:
To redo the statistics of an index fill out the table and index in the format: table~index. In this example the main index (0) of table BALDAT is chosen: BALDAT~0.
Run the update and wait for it to be finished:
Repeat this for every index defined in your system (lookup in SE11, button Indexes).
Runtime will depend on the amount of entries in the table and the type of infrastructure. Test on acceptance system before running in productive server.
Index run for almost empty tables
If your table is empty or almost empty you can also run RSANAORA with the option Alter index rebuild online. This will speed up read performance for that table index.
Regular runs
If you have setup regular technical clean up jobs as explained in this blog, you can opt to schedule a last step in the clean up job the update of the statistics program RSANAORA. This will ensure best performance while it will hardly cost you time.
The new solution has 2 locking transactions: SM01_DEV for client independent locking and SM01_CUS for client dependent locking.
SM01_DEV locking transaction
Start tcode SM01_DEV:
In this example we will lock transaction SE30_OLD. On the next screen select the transaction and press the lock button. Fill out the transport number. End result:
When starting SE30_OLD you now get this error message:
SM01_CUS locking transaction
In this example we want to lock transaction S_ALR_87012271. The start screen is identical to SM01_DEV. If you want to lock the transaction you get a popup screen in which you can differentiate for WinGui or non WinGUI.
The transaction will be locked, but not be put into a transport. If you want to transport the lock, you have to use the transport button.
After locking tcode S_ALR_87012271 and starting it you get this message now:
The transaction is now only locked in the local client. If you have more client or want a full central lock, then you have to run SM01_CUS from client 000.
Differences SM01_DEV and SM01_CUS
Differences between the 2 transactions:
SM01_DEV locks global and has mandatory transport
SM01_CUS locks per client and has an optional feature to transport
Overview of locked transactions
Program RSAUDITC can be used to get an overview of all locked transactions.
This blog will explain the steps need to make the SAP workflow engine to work. If you have to set up the SAP workflow engine in S4HANA, please read this dedicated blog.
Questions that will be answered are:
How to execute the automatic workflow configuration?
What are common issues with workflow configuration?
How to test the automatic workflow configuration?
What other settings are to be done for custom workflow building?
Automatic workflow configuration
To setup workflow configuration start transaction SWU3. This brings you to the Automatic Workflow Customizing screen.
If the system is new then you see most of the icons are red. Hit the Automatic Customizing button.
Depending on your version all actions might be completed. In this step in the background the user WF-BATCH is created along with the RFC connection WORKFLOW_LOCAL_<CLIENT>.
In the newer versions of SAP netweaver this automatic step might end up with this status:
Zooming in on the RFC connection issue:
You will see as analysis that the user WF-BATCH is not yet created. In the newer SAP versions SAP expects you to create WF-BATCH first, before you run the automatic workflow configuration. If you have done the auto configuration and get this message, just create WF-BATCH user in SU01. Then restart SWU3 and repeat the step for automatic customizing. It will be correct:
Testing the workflow setup
On the SWU3 screen hit the Start Verification Workflow button (if needed accept the event linkage activation). Be patient now for at least 5 minutes, since in the background normally a lot of code is compiling. Then go to the inbox to check if you validation workflow was properly launched. In S4HANA the button is no longer there on the SWU3 screen to jump to the inbox. You still can use the inbox button on the SAP start screen or use transaction code SBWP.
In the inbox you should see an item. Open it and make a decision:
This will end the verification.
Common issues
Most common issue is to execute the automatic customizing without sufficient authorizations.
Best practice from SAP basis: execute SWU3 directly after installation with SAP_ALL still attached to your user ID. Then only hand over the system to the authorization team. After activation, you can remove SAP_ALL and provide the authorizations as explained in OSS note 1574002 - WF-BATCH and SAP_WFRT Authorizations.
There are many static code analysis tools. Long list can be found on Wikipedia. At some point in time a manager or developer might come to you with one of these tools like “hey, at my previous customer we used SonarABAP for code measurements”.
This blog will explain the ABAP code metric tool built into netweaver. Together with the ATC tool the code metric tool covers most of the functions that such tools deliver.
Questions that will be answered in this blog are:
How can I count the amount of lines of Z code in my SAP system?
How to run ABAP code metric tool?
What output will the ABAP code metric tool deliver?
Use cases of the ABAP code metric tool?
Test program
The test the code metric tool write a small ABAP program like this:
This program has nested IF statements (3 levels deep), one ELSE statement and a nested DO.
Code metric tool
Start the custom code analysis tools with transaction /SDF/CD_CCA:
The code metric tool is the tool on the bottom of the screen.
On the start screen select the package and extra checks (selecting more packages and checks will increase the runtime of the tool):
Result for our test program:
The output is giving:
LoC: lines of code
NoS: number of statements
NoC: number of comments
COM: complexity of conditions
TOTAL DD: complexity weighted by decision depth
etc
IF: 3 (this was in our test program)
ELSEIF: 1
DO: 2
etc like amount of loops, selects, updates, deletes, modifies, case statements.
Use cases of Code Metric Tool
Use case 1: complex programs
Complex programs are normally source of most productive issues. You can use the code tool to check if the program is not too overly complex (like many nested if and case statements).
Use case 2: the procedural versus OO discussion
Sometimes you have managers wanting you to count the amount of Z objects. If you have switched from procedural coding to OO coding you will find the amount of objects to have increased. The code metric tool can help you here by counting the amount of statements and complexity. The amount of objects in OO is typically higher, but due to re-use and better setup, the total amount of statements and the total complexity decision depth should be smaller.
Use case 3: count the amount of Z code lines in your SAP system
Every now and then there is discussion on Z code. Sometimes the question will popup: “How many lines of Z code do we have in our SAP system?”. This question you can answer as well with the code metric tool explained above.
For reference: SAP standard has 238 million lines of code (source is this SAP blog).
This blog will explain the use of SAP clone finder.
Questions that will be answered in the blog are:
What are clones?
How to run the clone finder tool?
How to analyze the difference between the original and the clone?
What are clones?
Standard SAP offers lot of out-of-the-box functions and reports. But in many cases the standard report only offers 95%. What to do? In many cases developers copy the standard SAP program to Z copy and add the needed 5%. When upgrading the system to higher version or when applying support packages or OSS notes, the Z clone will not be upgraded to latest version. Maybe the clone needs updates as well, or can be deleted now after upgrade (if SAP added the missing 5%).
The clone finder tool is able to find the clones made in the past.
When you are doing a S4HANA conversion project (see blog) you will have to look again at these clones if they are still relevant or not.
Running the clone finder tool
The clone finder is part of the Custom Code Analysis workbench. Start the workbench with transaction /SDF/CD_CCA or transaction CCAPPS:
Clone finder is on top of the list.
Start screen of clone finder:
Pending on the size of your system you can run online or in batch.
Test result of standard SAP copy made as example:
As example program RSUSR003 and its includes were copied to Z programs. 3 are shown as identical copies. 1 is altered.
In the function link column you can hit the Version Compare button to see the differences:
Differences: the name of program and includes are different. And the authorization check was removed.
How to use changes in operation mode during runtime issues?
Operation modes explanation
In SM50 you can see the overview of work processes (in SM66 for all servers if you have more). The work processes are divided into online DIA, background BTC, update UPD, etc. The number of work processes is limited. During a working day normally more dialog processes are need for end-user usage. During the night typically more background batches are running.
This is where the operation modes come into the picture: you can setup these different modes and assign them to a timetable. The system will then have for example less dialog and more batch processes available during the night.
Operation modes setup
Start transaction code RZ04 for setting up the operation modes screen. Hit the create operation mode button:
Give a short key name and description for the operation mode. In our example we will set up simple DAY and NIGHT.
The initial screen after creation is empty:
You now need to maintain the instance data and assign the created operation modes:
It is import to check if this is active or not. When in doubt select the menu Instance and entry Set to active.
Also in these screens: press the save button locally and on the top of the screen.
Later on you can always change the work process distribution:
Put the cursor on the type (example Background) and use the plus and minus to increase or decrease the amount.
Make sure both DAY and NIGHT are properly setup now. Check in RZ04 start screen.
Amount of DIA versus non-DIA processes
To avoid issues, make sure the amount of DIA work processes is always greater than the amount of non-DIA work processes. See point 4 of the SAP OSS note 1970757 – Outbound qRFC scheduler with status RES_LACK. This note explain issues you can get in your system if you don’t apply this rule.
Time table assignment
Now that we have the two operation modes DAY and NIGHT, we need to tell the system when to use which one.
In the RZ04 main screen choose menu Operation Mode and then Timetable (or transaction SM63 directly). You reach the initial time table screen:
Choose the normal operation. Here you assign the operation mode to the time table:
This UI is bit unfriendly: double click on first time, then on last time, then assign operation mode. When done save the input.
Result in RZ04:
Activation of operation mode
Now this is done, you might check in SM50 to see nothing has changed. This is because the operation mode is defined, but not activated yet to run.
Go to transaction RZ03 and choose the operation mode you want to go to by selecting the Choose operation mode button.
In the menu select Control, Switch Operation Mode, All servers. Confirm the switch.
Now if you check in SM50 you see the switch is almost immediately effective.
Change of operation mode during system issues
During system issues you might want to use the switch in operation mode or change the work process distribution.
Use case 1: project team needs to do conversion on the fly in the system and did not notify basis team. All batch processes are filled up. Temporary quick solution: switch to NIGHT profile.
Use case 2: somehow the update processing is slow and you see bottleneck in UPD processing. Temporary quick solution: change the DAY profile to have 1 or 2 more UPD processes and less of something else. Save DAY profile and goto RZ03 to activate. After issue is resolved, don’t forget to revert back to normal. In this case it might be due to growth that anyhow more UPD processes were needed in the system.
Bug fix OSS notes
Please check following bug fix notes in case of issues:
Transaction SBPT brings you to the parallel background test environment:
Here you can evaluate your settings.
Real live use
Some SAP transaction use parallel execution. Example is transaction code FAGL_MM_RECON.
More on load balancing
Parallel processing is an important part of load balancing across multiple application servers. More on load balancing can be read in this dedicated blog.
In the previous blog on SAP security notes you will see that security notes popup around “Digitally signed SAP notes”.
This blog will explain more on how to implement this.
Questions that will be answered in this blog are:
Why switch over to the new way?
How to implement the feature to download digitally signed SAP notes?
How to make the relevant settings?
Where to find more information?
Why switch over to the new way?
SAP keeps improving their security in all ways. Including OSS notes. There is no direct benefit. After downloading the OSS notes, the handling is identical for old and new way.
Switching over from current way of working to digitally signed SAP notes can be done any time.
SAP has announced the following: "Post January 1, 2020, the download and upload process will stop working unless Note Assistant (SNOTE transaction) is enabled in ABAP systems to work with digitally signed SAP Notes".
How to implement digitally signed SAP notes?
There are 2 basic ways to implement (you have to do only one):
Apply TCI based OSS note 2576306, which contains all the notes (and manual work) in the notes mentioned in point 1. Your system needs to be able to handle TCI based OSS notes (see this blog on how to do this).
Follow the guided procedure
Guided enablement procedure
The guided procedure is the easiest way to apply and check the digitally signed OSS notes way of working.
Follow the instructions from OSS note 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes. Attached this note is an explanatory PDF document that describes all steps in detail. After installation of the OSS note (and prerequisite notes), you can run program RCWB_TCI_DIGITSIGN_AUTOMATION, which will guide you through the steps and verifies the results at the end:
Settings after implementation
If you have done the TCI based import a new customizing node is available:
The first one (direct program in SE38 is called RCWB_SNOTE_DWNLD_PROC_CONFIG) is to set the way of downloading:
The second one (direct program in SE38 is called RCWB_UNSIGNED_NOTE_CONFIG) is to allow only digitally signed SAP notes:
How to validate if the notes now are digitally signed?
To see if all is ok, download and implement a new OSS note. In the note log you can now see the digital signature download in the note log (in nice German words):
This blog will explain how you can optimize your process of security notes via System Recommendations.
Questions that will be answered are:
What is the System Recommendations tool?
How do I set up the System Recommendations tool?
How do I deal with the results of the System Recommendations tool?
Where to find even more information on the System Recommendations tool?
What is the System Recommendations tool?
System Recommendations is a tool that runs in SAP solution manager. It weekly check SAP for new security notes and compares it with your own system. New notes will be alerted as new in the System Recommendations list. Notes you have applied will be removed from the list.
This automated procedure save you a lot of time checking for and follow up on security notes.
Alternative in SAP Focused Run
SAP Focused Run has a superior alternative for checking security notes with it’s Configuration and Security validation tool. Read more in this blog.
Setting up System Recommendations
If solution manager is properly setup, system recommendations is already enabled.
To verify if the system recommendations job is running start transaction SOLMAN_SETUP and select Mandatory Configuration and then Basic Configuration. Then select in the roadmap on top step number 2 and look for the system recommendations job, which will typically run every week:
Adding a system to System Recommendations
In SOLMAN_SETUP goto the managed system configuration of the system you want to add to system recommendations.
Select the full configuration for the system. On the roadmap select step 5: Enter System Parameters. On the screen below tick the box for Enable System Recommendations:
Now the system is added you need to wait until the weekly job runs.
System recommendations result
In solution manager goto the System Recommendations tile:
Upon clicking you get the list of systems and OSS notes per category:
Now you can zoom in for example on the security notes:
Per OSS note you can keep track of the status:
Dealing with the list
Some notes you can implement via SNOTE automatically. After they are implemented (normally via transport import if you run System Recommendations against productive system) they will be gone with the next run of system recommendations.
Some notes depend on kernel patch: also here, you can mark the status as to-be-implemented and wait for the actual implementation of the kernel patch.
Some notes might be non-relevant: you can mark them and they will no longer show in the open list of security notes.
DB and OS versions
The security notes will pickup all the database and OS versions for security notes, even if you don’t run them. To reduce the list goto transaction SM30 and maintain the content of table AGSSR_OSDB:
Flag the unused Databases and OS to Inactive and they will be filtered away next run.
More features
System recommendations function has more features. If you want to read all of them, please read the SAP full document. You need to use transaction SM30_DNOC_USERCFG_SR to configure these settings.
OSS note backbone settings
If you have issues updating most recent notes, or anything at all, please check in transaction SM30_DNOC_USERCFG_SR. Make sure there is no entry there for SYSREC_RFC_CALL. If it is there delete it. This is due to the SAP technical backbone change.
In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.
Questions that will be answered in this blog are:
How to run the Security Optimization Service?
How does the questionnaire work?
How does a sample result look like?
How to run Security Optimization Service
In solution manager 7.2 go to the tile Active Sessions for Service Delivery:
You now arrive in the sessions overview screen:
If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.
Select the button create to make a new service. From the list choose the option SAP Security Optimization:
There might be multiple. In that case select this one (the others won’t work):
Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:
Finish the roadmap. After the final step the detailed roadmap will appear:
In the first step select the logon and test the connection:
In the next step you need to assign a questionnaire:
If you run the SOS before you can re-use or change the template. The first time you need to create the questionnaire:
In the questionnaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.
If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.
The SOS session is now scheduled.
Authorizations
You need authorizations in the backend system for ST14. If that is missing you get this message:
Usually the run is done overnight and you can fetch the results next day. Go to the active services tile, select your run and go to the column Documents. Click on the document to get the results.
Example of an SOS report can be found at this URL.
Follow up
If you find issues: solve them and rerun the report.
If you find many users with too many rights: start to revoke the rights and rerun the report.
If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionnaire, and rerun the report.
In general it will take a few runs to come to a more cleaned up system.
