APC: Abap push channel

The ABAP push channel (APC) is the ABAP implementation of websockets. It’s goal is to enable the ABAP stack to send push messages to registered web clients.

This blog will answer the following questions:

  • How to setup an ABAP push channel?
  • How to implement the ABAP push channel?
  • How to test the ABAP push channel?
  • Where to find more background and examples on ABAP push channel?

Setting up an ABAP push channel

To setup an ABAP push channel go to transaction SE80 and right click, select create / connectivity / ABAP push channel notification.

Now press the Generate Class and Service button. The classes and services will now be generated as placeholders. Save your work.

If you try to activate the service at this point in time you get this error message:

The reason is that we didn’t implement two methods of the new class yet: the ON_START and ON_MESSAGE.

Implementing the actual APC class

To do this, we go to SE24 and lookup the generated class and we select the ON_START method:

Press the redefine button to redefine the method.

Use this code in the method:

TRY.
* send the message on WebSocket connection
DATA(lo_message) = i_message_manager->create_message( ).        lo_message->set_text( |ON_START has been successfully executed !| ).
i_message_manager->send( lo_message ).
CATCH cx_apc_error INTO DATA(lx_apc_error).
MESSAGE lx_apc_error->get_text( ) TYPE 'E'.
ENDTRY.

This basically confirms the push channel registration.

Now redefine the ON_MESSAGE method:

TRY.
* create the message object
DATA(lo_message) = i_message_manager->create_message( ).
* send message
lo_message->set_text( |Hello World !| ).
i_message_manager->send( lo_message ).
CATCH cx_apc_error INTO DATA(lx_apc_error).
MESSAGE lx_apc_error->get_text( ) TYPE 'E'.
ENDTRY.

It simply pushes the message: ‘Hello World’.

Save and generate the class in SE24.

Now we can go back to the SE80 ABAP push channel we have created and activate it as well. You can run the consistency check to see all is fine:

Testing the ABAP push channel

Now you can test the ABAP push channel by hitting the test button in the SE80 screen of the ABAP push channel. The test service will launch an ABAP webdynpro screen.

If the ABAP webdynpro screen does not launch, activate in SCIF transaction the following 2 nodes: WDR_TEST_APC and WDR_TEST_APC_WSP.

Test result:

As an alternative to SE80 you can also use transaction SAPC:

Background information

Excellent blogs on ABAP push channels are:

SAP interfacing: REST

The SAP ABAP stack can also interface using REST protocol. To support this interface protocol SAP has developed special classes in the ABAP stack.

Questions that will be answered in this blog are:

  • How do I create a REST interface in ABAP stack?
  • How do I test a REST interface in ABAP stack?
  • Which tools to use to developer REST interface?

REST in ABAP

SAP delivers in the ABAP netweaver stack the ABAP REST library. The full specification can be found on the SAP help portal. The help portal also contains a small tutorial. Next to the pre-delivered REST library classes there are no tools for you available to faster develop REST in ABAP. It is coming down to SE24 and SE80.

Good reference blog is the SAP blog on usage of REST in Netweaver 7.4. This also explains the generic REST architecture implementation in ABAP.

Creating REST service in ABAP

We will create a simple Hello World REST service in ABAP. There are 2 main classes in REST ABAP: the application class handling the URL and the resource class where the logic is.

Start transaction SE24 and create a new class inheriting from the SAP delivered class CL_REST_HTTP_HANDLER:

REST create class

important here to press the inheritance button! Fill out CL_REST_HTTP_HANDLER as superclass:

REST create class as inheritance

It is mandatory to redefine the GET_ROOT_HANDLER method:

For now just leave the method empty. Save and generate.

Now create the REST resource class based on inheritance of CL_REST_RESOURCE:

REST define resource class

Now redefine the GET method:

REST resource class redefine GET method

No we add a simple implementation by simply adding the text ‘Hello World’:

REST resource class GET method implementation

Save and activate this class.

Now we go back to the previous class: the application class. In here we now edit the GET_ROOT_HANDLER implementation we left empty earlier:

REST implementation of root handler

If the URL is getting the input /hello then the handler class (our resource class) ZCL_HELLO_WORLD_RES_REST is called. This class will return the string.

Save and activate again. The coding work is done.

Runtime implementation

Now we need to make a runtime implementation. Goto transaction SICF and select the main node default_host first. Then select from the menu Service/Host the option Create Service:

REST SICF create service

Fill out the name of the service and click ok. In the next screen give a description and in the Handler List section refer to the application class ZCL_HELLO_WORLD_REST:

REST SICF handler

Save the service. The service is created but not active. To activate right click on the service and select Activate:

REST SICF activate service

Testing the service

From the previous SICF screen right click the service again and select the option Test Service. A screen will come that says “No suitable resource found”. Now modify the URL by adding /hello after the test in the URL, and press enter again:

REST SICF test service

The URL build up: the test is the name defined in SICF. The /hello was defined in the application class.

Authorizations and security

The REST library has no specifics about authorization and security. So you have to take care your self.

Business authorization security: has to be built in via AUTHORITY-CHECK statements at the correct spots.

Technical security is provided in the Logon Data tab on the SICF node. Here you can set requirements for the technical logon method and if you only allow https.

SAP interfacing: ODATA

In the previous blog we have setup RFC enabled function module. If you want to expose this function module as ODATA service you can use the wizard in transaction SEGW. This blog assumes the basis ODATA basis activation has been performed (see this blog).

Questions that will be answered in this blog are:

  • How do I generate an ODATA service based on a RFC function module?
  • How do I test if the ODATA service is properly working?

Set up of the ODATA service

Start transaction SEGW and create a new project:

Now start the RFC import wizard by right clicking on Data Model and selecting the option Import and then RFC/BOR interface:

Now select the data parameters:

And enter which field is key field:

After pressing finish the wizard will generate the needed classes.

Save your work and press the check button to validate if everything is ok:

Now we need to map the implementation to the RFC module. Right click on the GetEntitySet below ZODATADEMOENTITYSet and select Map to Data Source:

Now map the fields (you can use drag and drop):

Now you need to map the data fields correctly and press check.

Save your work.

Generation of objects

You can see that the Runtime Artifacts section is still empty.

Now press the button Generate Runtime Artifacts:

Wait for the generation to finish:

Now the runtime artifacts are generated, but the service maintenance is not done yet. Open the section Service maintenance and double click on the system:

Now press the Register Service button:

Accept settings and assign package for transport:

Now the registration status is green.

Testing the ODATA service

Press the button SAP Gateway Client (or start transaction /IWFND/GW_CLIENT directly, and then enter the correct service):

The test client starts:

Enter the correct inputdata: /sap/opu/odata/SAP/ZODATADEMO_SRV/ZODATADEMOENTITYSet(‘1’)

And check the output:

Attention points

The example above seems simple, but you will face more issues in real live implementation when you need to add tables and more complex structures. In those cases additional configuration and many times extra coding in the methods of the generated classes is required.

Nice blogs to start with:

ODATA security

The user calling the ODATA service needs a special right in SAP to be allowed to call the ODATA service.

Start transaction PFCG and create a new role. On the menu tab select the option Authorization Default. Then select type Tadir and object type IWSV gateway business suite enablement. Now you can finally search for our own developed and activated ODATA service:

Now save the role and assign it to the user(s) needing to call this ODATA service.

The application security relies on the function security authorization check inside the RFC function module.

SAP interfacing: exposing web services

In the previous blog we have created a test RFC module. We now will expose this test RFC module as web service. This blog assumes the basic SOAP web service runtime has been done according to the manual in this blog.

Questions that will be answered are:

  • How can I generate a web service design time based on an RFC module?
  • How do I activate the web service runtime via SOAMANAGER?
  • How do I test my web service?

Creating the web service based on RFC module

Goto transaction SE80 and search for the test BAPI:

Now right click on the name ZBAPIDEMO function module and select the option Create / Enterprise Service:

Fill out the name for the service definition and the description. Press Cont. to continue to the next screen:

Press Cont to go to the next step:

Press Cont. to go to the next screen:

Fill out your package and transport request.

Important here: on a sandbox you might want to use a local object ($TMP). In a development system, NEVER use the local option. A lot of data structures and coding will be generated. If you later try to move the objects from $TMP to a real package, you will be faced with a lot of issues. See note  886682 - Proxy inconsistencies on the use of repair programs SXIVERI_PROXY_HASHID_CHECK and  SXIVERI_PROXY_HASHID_CHECK_70. After the cumbersome and painfull repair you will not make the mistake again... 

Press Cont. to goto the last screen:

On the screen you can already see the next action after completion: SOAMANAGER. But first press Complete to start the generation of the objects.

After the generation, do not forget to Activate the objects!

Activation success message:

Setting up the runtime with SOAMANAGER

To setup the runtime, start transaction SOAMANAGER. It is assumed that the basis team has performed the initial SOAP runtime setup. If not done, ask the basis team to follow the steps in this blog.

On the SOAMANAGER start screen choose the option Web Service Configuration:

In the next screen search for the design time object we created and activated in the previous section (if you forgot the activate, you will not find it now…):

Select the service and on the next screen press the button Create Service:

Fill out the definition details:

Press Next and define the security settings:

Remark: in the newer versions, the default security is set to high. If you need lower security, go back to SE80 definition in the tab configuration to change the security profile (save and regenerate!):

Press next and define the SOAP protocol settings:

On the last screen of the wizard press finish:

Wait for the runtime generation to finish.

The screen returns to the generated runtime artefacts:

The most important artefact is WSDL file which you can open from here.

Testing the service

Goto transaction SE80 and select the Enterprise Services Browser (if not visible goto menu path Utilities/Settings and add the tool):

Now open your service by clicking the Open Object button and search for the service in the second tab:

Check that the WSDL file is properly showing:

If ok, press the test button (F8) to start the test tool:

On the next screen first press the XML editor button to allow the content to be changed:

Now press execute to test. The result:

Web service security

The functionality security of the web service is the same as for the generic RFC handling (see blog on this).

The technical security of web services is mainly driven from the security settings in SOAMANAGER. There you can set the transport protocol security and you can indicate if you want simple user ID / password security or work with additional certificates for server to server authentication.

The user calling the SAP web service must have the authorization object S_SERVICE. In S_SERVICE you can define the specific web service it needs to be able to call.

Troubleshooting web services security issues

For troubleshooting web services note 2321968 – SOAP Web Service Security Troubleshooting refers to a very extensive SAP site for web service security issues troubleshooting.

Monitoring web services

For monitoring web services, read this dedicated blog.

SAP interfacing: RFC

SAP has many different ways to interface. The RFC (Remote Function Call) protocol is one of the most wide used.

This blog will explain best practices around secure and correct setup of custom built ABAP RFC function modules.

Questions that will be answered are:

  • How to setup RFC enabled function module?
  • How to setup proper RFC error handling?
  • How to setup security in RFC enabled function module?
  • How strict is the S_RFC authorization handling?
  • Why is SAP_ALL not sufficient for RFC handling?

Creation of test RFC enabled function module

In SE37 you can setup an RFC enabled function module just like a normal function module. First create a function group. Activate that function group in SE80. Now you can create the function module. We will call our test module ZBAPIDEMO:

Important here in the first tab is to set the processing type to Remote-Enabled Module.

For testing we setup import and export tabs:

Important here with RFC: set the Pass by value tickbox.

For tables use a suitable table type:

And setup the correct exceptions:

Here you can see 2 very important error messages that should always be implemented:

  1. An extra authorization check
  2. An error message when no data is found

Now we can implement the following simple source code:

   DATA: zls_coms_gen_textline TYPE coms_gen_textline.
 
   AUTHORITY-CHECK OBJECT 'S_CDMC'
   ID 'CDMC_AREA' FIELD 'A'
   ID 'CDMC_ROLE' FIELD 'U'.
   IF sy-subrc EQ 0.
 
     CASE zimport.
       WHEN 1.
         zexport = 'Hello world'.
       WHEN 2.
         zls_coms_gen_textline-entry = 'Hello world table 1'.
         APPEND zls_coms_gen_textline TO ztable.
         zls_coms_gen_textline-entry = 'Hello world table 2'.
         APPEND zls_coms_gen_textline TO ztable.
       WHEN OTHERS.
         RAISE not_found.
     ENDCASE.
 
   ELSE.
     RAISE not_authorized_business.
   ENDIF. 

What is important here in this source code:

  1. The authorization check is implemented and raises an error
  2. If no data is found the NOT_FOUND error is raised

With the SE37 test suite you can test diverse scenario’s now.

Calling RFC function module from another ABAP system

If you call this RFC function module form another ABAP sytem you have to make sure you have set and check the following exceptions:

  exceptions
      not_authorized_business = 1
      not_authorized          = 2
      system_failure          = 3
      communication_failure   = 4
      not_found               = 5
      OTHERS                  = 6.

There are 2 exceptions from the BAPI definition:

  1. NOT_FOUND (nothing found)
  2. NOT_AUTHORIZED_BUSINESS (our own implemented business authorization check)

4 exceptions should be implemented as part of the RFC framework:

  1. NOT_AUTHORIZED: this is the RFC authorization, which will be explained next chapter
  2. SYSTEM_FAILURE: the coding has caused a dump and the system returns and error message (see OSS note 2484377 – Error Message: “RFC Exception SYSTEM_FAILURE Raised; No More Memory Available to Extend an Internal Tab” Upon Executing a Data Extraction Run as an example)
  3. COMMUNICATION_FAILURE: the call to the other system fails. Most likely if you go to SM59 to the RFC destination and perform a connection test you will get a failure.
  4. OTHERS: something else went wrong

The developer should take proper care of these error situations.

Dear ABAP developers: the basis team member are also humans. They will make RFC configuration errors, they rely on the authorization team to assign the correct roles and they rely on infrastructure providers to make sure systems are up and running. Also the basis team will need to perform patching and upgrades to the system, which you as ABAP developer, are calling. So please don't blame the basis team for these exceptions, but please be a good developer and implement proper error handling. If you didn't implement proper error handling, and something went wrong on basis side, that caused your code to go wrong, think twice before putting blame on basis if your code is not handling the situation properly.

For reference: OSS note 1371131 – Correct error handling of RFC calls.

Security of RFC calls

Security of RFC calls is consisting of 2 layers:

  1. The RFC layer
  2. The business application code

You should always implement both layers!

The RFC layer is protected by authorization object S_RFC:

Here you can choose between a function group or even allowing per function module. Personally I would protect by function module. Background: create, change and display BAPI’s will normally be developed inside same function group.

There is a common misunderstanding that if you give SAP_ALL to a (background) user, this would solve the RFC authorization issues. This is not true. SAP_ALL does not contain the S_RFC rights. You have to hand them out separately.

Best practice 1: you might want to start with broad authorizations at the beginning of a development to rule out authorization issues. But you must definitely limit the rights before you make the development go productively live.

Best practice 2: as first statement inside each and every RFC function module, program a relevant business authorization check statement. This is an extra safety measure that is needed to protect important business data from authorization consultants that have handed out * authorizations in object S_RFC (* means all).

Generic S_RFC check handling at basis level

The behavior of the S_RFC check is driven by the settings of RZ11 profile parameter auth/rfc_authorithy_check. Please make sure it has a setting of 6 or higher. Best is 9. A system with 5 or lower can be considered as insecure!

Background OSS note: 2216306 – S_RFC check and profile parameter auth/rfc_authority_check.

Running SCI on standard SAP and add-ons

SCI is a very powerful code scanning tool (see blog). Unfortunately you cannot apply it to standard SAP and add-ons.

Analyzing standard SAP code is the responsibility of SAP, and they take good and secure code (since they provide good code, it is weird they don’t allow everybody to scan their code…). Unfortunately a lot of add-on providers do not.

The blog will explain how to scan code of standard SAP and mainly on add-ons.

Questions that will be answered are:

  • What is the background on not being able to scan standard SAP and add-on code?
  • Can I truly scan the code of a new OSS note 7 days?
  • How can I work around these restrictions and still scan the code of an add-on?

Background

The background of not being able to scan standard SAP code is explained in OSS note 1986391 – Using SLIN/SCI to check SAP standard objects. This note also explains you can scan OSS notes and transports for 7 days. After that time it is no longer possible. Unfortunately this rule also applies to add-ons.

Why run SCI on add-ons?

Why would you want to scan add-ons? Add-ons come with various quality levels. Ranging from very well written with much attention to performance and security. Some add-ons are full of performance issues and full of security leaks. Some are even allowing full dynamic read SELECT and UPDATE statement without any authorization check. This is heaven for a hacker!

The below method is meant for scanning these poor add-ons using the SCI tool for performance, robust coding and security.

How to run SCI on add-ons?

When you run the SCI tool on an add-on by selecting package or development object, you get the message that it does not contain any objects:

This is because your selection is first scanned for standard SAP and add-on objects. These are removed. So the result set is empty.

Goto transaction SE24 and select class CL_CI_OBJECTSET. Now select method BUILD_TADIRSET and display the code:

Put a break-point as statement if ENABLE_CI ne ‘X’.

Now start the SCI tool again. If the debugger stops at this statement, use debug and replace to change the content of ENABLE_CI to ‘X’. Now the skipping of SAP and add-on objects is not done. SCI will scan the code. It will still not use SLIN. But these are minor checks.

Activate SAP GUI for HTML via integrated SAP ITS

For users that do not use the SAP GUI regularly, you can use the SAP GUI for HTML as an alternative. The end users will then access the SAP system via the GUI shown in the web browser. This way the end user does not need to install the fat client on his laptop or desktop.

Questions that will be answered in this blog are:

  • How to activate the SAP GUI for HTML?
  • How to change the theming?
  • How to monitor the ITS behind the SAP GUI for HTML?

Activation of SAP GUI for HTML via integrated ITS

In transaction SICF activate the SAP GUI for HTML node /sap/bc/gui/sap/its/webgui:

Look and feel of the SAP GUI for HTML

OSS note 1508958 – Look and Feel in the WEBGUI explains the different themes for SAP GUI for HTML. OSS note 2540597 – Supported Themes for SAPGUI for HTML explains the support of different theme versions per netweaver version. Note 1656975 – How to set the theme for SAPGUI for HTML? explains how to set the theme.

Monitoring the SAP GUI for HTML via ITS tools

The SAP GUI for HTML is using SAP ITS (internet transaction services) to render the HTML pages. Transaction SITSPMON is the monitoring transaction for ITS:

Known issues

If you get a popup stating Transaction SMEN is locked and you are redirected to the logoff page, please check OSS note 2874027 – Transaction SMEN is locked in direct webgui.

Webdynpro unified rendering updates

Webdynpro for ABAP and SAP GUI for HTML use the unified rendering framework as enabler for high performance. Bugs and issues in this framework are solved in unified rendering updates. Also new functions are deployed in this way.

Questions that will be answered in this blog are:

  • How do I find my current versions for the unified rendering framework?
  • How to see if there are new patches for the unified rendering framework?
  • How to execute patches for the unified rendering framework?

Current version of unified rendering framework?

You can get the current version information of the unified rendering framework by starting program WDG_MAINTAIN_UR_MIMES. Then click on the option Show Extended Info:

In newer versions you can also the versions directly in the ITS monitoring transaction SITSPMON:

Patch information

The main note for unified rendering for all technologies is 2500800 – UR: General information about cumulative patches for Unified Rendering.

This note refers to the collective note for SAP GUI for HTML (2504011 – SAP GUI for HTML: Unified Rendering Update – Instructions and Forecasts) and the note for Webdynpro for ABAP (2090746 – WD ABAP: Unified Rendering Update with TCI – Instructions and Related SAP Notes).

Applying the updates

In case of a webdynpro for ABAP update, you will have to apply the corresponding OSS note from the previous section via the TCI update procedure (see blog on TCI notes). After applying the note, run program WDG_MAINTAIN_UR_MIMES to check the consistency.

The SAP GUI for HTML patches are delivered on kernel level.

Installing ADT Eclipse frontend

This blog will explain the installation of the ABAP development tools (ADT) on the laptop or workstation.

Activation of the ABAP development tools needed on the backend is explained in this blog.

Questions that will be answered in this blog are:

  • Where can I find the software downloads?
  • What is the installation sequence?

Software download of ADT tools

Software can be downloaded from the SAP public site: https://tools.hana.ondemand.com/ .

Click on the ABAP part:

Download here the SAP JAVA part and the Eclipse.

Installation

Make a directory on your local machine called C:\ADT\.

Do not use spaces and special characters in the installation directory. This is a main cause of issues. 

Extract the files:

Now in the the directory Eclipse, you can launch Eclipse by double clicking on the executable:

Launch issue

Depending on your JAVA installation and settings a Eclipse launch code might appear:

If this happens, most likely Eclipse can’t find a proper JAVA installation. In the previous step you have downloaded the SAP JVM files and extract them as well to the C:\ADT\ folder.

Now we need to edit the Eclipse.ini file:

Edit the file and add the line to point to the SAP JVM:

-VM

C:/ADT/sapjvm_8/bin/javaw.exe

This has to be inserted at exactly the designated spot. Save the file and re-launch Eclipse.

Installation inside Eclipse

After first initial launch of Eclipse:

  1. In Eclipse, choose in the menu bar Help > Install New Software…
  2. For Eclipse 2019-12 (4.14), add the URL https://tools.hana.ondemand.com/2019-12

After this install is done Eclipse needs to restart.

Now you can open the ABAP perspective in Eclipse:

SWLT performance tuning worklist

This blog explains how to use the SWLT performance tuning worklist to find poorly performing Z code by combining SQL monitoring data from production and ATC results.

Questions that will be answered are:

  • How to setup the SWLT performance tuning worklist tool?
  • How to analyze the results from the SWLT performance tuning worklist tool?

Preparations

As preparation for the SWLT tool you must have run the SQL monitor in a productive system and created a snapshot of the data. This snapshot you can export and import in a development system. In the development system you configure and run the ATC code check tool.

The SWLT performance tuning worklist tool will combine these results. As example we will use this poorly written Z code:

Running the SWLT tool

Start transaction SWLT:

You can reduce the scope by just taking the needed Z packages. Goto the tab Static Checks to select the appropriate result of the ATC run:

Now select the SQL monitor tab to select your SQLM data snapshot you took from your productive system:

Now that all data is loaded, you can hit the execute button to start the SQL performance tuning worklist.

The tool will now start to merge the results. In the example above you can see the following result:

In the total result select a line. On the bottom left you can see the SQL monitor results. Bottom right you can see the ATC check result. Clicking on the underlined program or SQL statement will bring you to the poorly performing ABAP code point.