Category: Basis

basis

PDF converter in SAP ABAP kernel

The newer SAP ABAP kernels and system (781 kernel and 755 system) can support PDF converter from the SAP ABAP kernel.

Using the kernel it will speed up PDF generation for ABAP list, SAP Script and SmartForms.

Background

The background of the SAP ABAP kernel is explained in OSS note 2991197 – Using the kernel PDF converter in ABAP.

Switching on PDF generation via SAP kernel

To switch on, start program RSTXPDF3KRN and choose to change the parameter PDF_KERNEL:

Confirm to turn on:

Fonts

Fonts and fonts mapping can still be maintained via program RSTXPDF2UC:

SAP for me

SAP for me is an alternative to the SAP support marketplace.

Questions that will be answered in this blog are:

  • What functions does SAP for me offer?

Start of SAP for Me

You can easily start SAP for Me with the URL me.sap.com.

SAP for Me versus support.sap.com

SAP for Me provides some extra functions that are not offered yet by support.sap.com. The general overview of functions is listed in the chapters below.

Highlights:

  • Calendar function
  • Financial invoices and licenses
  • Statistics on open SAP messages

Calendar function

In the calendar function you can quickly see which upcoming maintenance activities there are for your cloud products, planned expert sessions, software release dates, and security patch days:

Portfolio and products overview

In the portfolio and products overview you can see the products (both on premise and cloud) that you are licensed for. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Finance and legal

In the finance and legal overview you can see the products (both on premise and cloud) that you are licensed for, the invoices and for cloud the current usage. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Services and support

The services and support overview page is a different view on your tickets open at SAP. It provides quick insight into which tickets are with SAP, and which ones are at customer action (which do require your attention):

Systems and provisioning

Systems and provisioning provides an overview of both on premise and cloud systems:

Users and contacts

Users and contacts page gives overview of your important contacts.

Information disclosure of SAP Web Administration Interface

Despite the fact that this is a know issue, in many cases still it is seen that the SAP web administration interface is still set to fully public. This way an attacker can still retrieve vital release information.

You should check this carefully, also for newer system installations, this might be not ok.

Questions that will be answered in this blog are:

  • What is the web administration interface?
  • Why is it dangerous to have this public?
  • How to close the gap and make the web administration interface shielded again?

What is the web administration interface?

The web administration interface can be started on your netweaver system by using a browser and keying in <host:port>/sap/admin/public/index.html:

Here you can see the status and also the version information:

If you keyed in the URL and you got a password prompt like this:

If you did not get it, that means this page is still public.

Why is this public release information dangerous?

This page is present in ABAP, JAVA stacks and webdispatcher. Portals and Netweaver gateway systems are often exposed to external world for partners, customers and suppliers. If you did not do a good job on security with reverse proxies and the SAP systems themselves, this page is available on internet. Hackers scan for it, get the release information and know if you are vulnerable or not.

Dangerous? Yes, very. See the last very high Hotnews security note on ICMAD:

How to solve the issue?

The solution is described in OSS note 2260323 – Internet Communication Manager (ICM) 7.20 security settings and more specifically in OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface.

The solution is to set the sub parameter ALLOWPUB (it is a sub parameter of icm/HTTP/admin) to NO. See screen shot on how to see the sub parameters:

Checking if it is done properly is simple: start the page again and see that it disabled:

SAP support log assistant

Many SAP applications generate logs with errors. These can be hard to analyze.

SAP now offers online tool to quickly scan a log for known issues and provide potential OSS notes with hints and solutions.

Questions that will be answered in this blog are:

  • What is the SAP support log assistant?
  • How to use the SAP support log assistant?

How to run and use the SAP support log assistant

To start the SAP support log assistant, use this URL.

Use the button to upload your log file. In this case a SAP cloud connector log file with errors:

After the upload, press the button Scan files to start the scan. The results:

The third screen is the summary:

Here you can download your results, submit to SAP or provide SAP with feedback.

Background of the SAP support log assistant

SAP note 2990062 – What is the Support Log Assistant and how can I use it to find known issues and solutions? describes the full background.

Wiki page: link.

File types that can be analyzed: link.

Explanation blog: link.

TLS v1.2 setup

TLS stands for Transport Layer Security (full background you can read in this blog). It determines the security protocol used for the web part of the ABAP server.

Questions that will be explained in this blog:

  • How can I enable TLS v1.2 for my ABAP server?
  • How can I check TLS v1.2 is properly setup?
  • Can I disable TLS v1.0 and v1.1?

Setup of TLS v1.2 on ABAP

The setup of TLS v1.2 is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients.

Settings to enable TLS v1.2 and still allowing v1.0 and v1.1 for older clients:

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_26  =  SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27  = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28  =  SAPSSL_CLIENT_SNI_ENABLED=TRUE
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE

Set up of TLS v1.2 on HANA

For setup of TLS v1.2 on HANA follow the instructions in OSS note 2829919 – How to enable TLS 1.2 for all Hana ports.

How to check TLS v1.2 usage?

The TLS version usage per browser is a different process to check. Read this blog to find the exact instructions per browser.

The end result is as follows:

Can I switch off TLS v1.0 and v1.1?

Yes, you can switch off TLS v1.0 and v1.1. This is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients. Please also read the warning in this note: the advantage is very low, the risk that you will get issues is high.

So switching off in live system is tricky. Switching it off starting new system landscape is simple and a good idea to do.

TLS v1.3

TLS v1.3 is currently not supported for ABAP. See OSS note 2765639 – Is TLS 1.3 supported in NetWeaver AS ABAP?.

SAP background

More background can be found in OSS note 510007 – Additional considerations for setting up SSL on Application Server ABAP.

SAP Process discovery

SAP offers new tool called Process discovery.

This tool can help you to prepare for an S4HANA conversion.

SAP pathfinder will most likely by succeeded by Signavio process insights. Read this blog for more information on Signavio process insights, discovery edition.

Preparation

Apply OSS notes 2758146 and 2745851  and move them to your productive system.

Then run program RC_VALUE_DISCOVERY_COLL_DATA in productive system with the business scenario recommendation option.

The first option is for the pathfinder tool. You can read more on this option in this blog.

Let the batch job collect the data. Run the program again and use button Download Analysis Data to download the data.

The analysis

Now you can upload this file to the SAP site. Wait about 5 working days for SAP the process the data.

You can look at a sample report on this link:

And you can see the demo results:

Background

Background on SAP process discovery can be read in this SAP blog.

In case of issues you can read the troubleshooting guide: 2977422 – Process Discovery (evolution of SAP Business Scenario Recommendations) & SAP Pathfinder report – troubleshooting guide.

Read more in OSS note 2918818 – Usage and Performance Data Collection for Process Discovery (evolution of SAP Business Scenario Recommendations) and SAP Innovation and Optimization Pathfinder on Spotlight on the inclusion of usage and performance data.

SAP Readiness Check for SAP S/4HANA upgrades

The SAP readiness check is normally used to asses the impact of an ECC to an S4HANA system upgrade or conversion (read this blog).

It can also be used to asses the impact of an upgrade of a lower S4HANA version to a newer S4HANA version.

Preparation for the S4HANA readiness check

First apply the notes listed in master note 3059197 – SAP Readiness Check for SAP S/4HANA upgrades. If you have a short dump after start of program RC_COLLECT_ANALYSIS_DATA, follow the instructions in OSS note 3093810 – Executing report RC_VALUE_DISCOVERY_COLL_DATA immediately results in an ABAP Dump CX_SY_DYN_CALL_ILLEGAL_FUNC.

Also apply the notes mentioned in OSS note 3061414 – Enabling extended integration impact analysis for SAP Readiness Check, if you want to include ALE scenario’s in your analysis.

If you have to upgrade to a newer version, apply the latest version of the 305197 note and afterwards start program /SDF/RC_START_CHECK and use the “Update latest version form SAP catalog” button.

Running the check

Start program RC_COLLECT_ANALYSIS_DATA:

Start the batch job and wait until it is done.

Start program RC_COLLECT_ANALYSIS_DATA again and push button Download Analysis Data.

This file you need to upload on the SAP Readiness check site.

Result

After you have uploaded the results SAP needs about 1 hour to process the results. Then you can look at the items you need to consider for your S4HANA release upgrade:

Remark: the amount of items will be far less than the ECC to S4HANA conversion readiness check.

Bug fix notes

Bug fix notes:

Test drive SAP Cloud ALM demo system

SAP Cloud ALM is a solution offered by SAP for managing cloud products of SAP.

The tool is still in build up, but is looking promising. If you are interested in what Cloud ALM can do, you can read the documentation, but also try out in the online Cloud ALM demo system.

Questions that will be answered in this blog are:

  • How can I see online in a demo system what SAP Cloud ALM can do?
  • Where can I find more information on SAP Cloud ALM?
  • Does SAP Cloud ALM require a license or is it free for use?

If you look for a SAP solution manager demo system: read this blog.

The SAP Cloud ALM demo system

The SAP Cloud ALM demo system can be accessed on the ALM demo tenant page:

Use one of the users listed to logon:

Background information on Cloud ALM

General information about Cloud ALM can be found on this link.

All technical background and implementation information on Cloud ALM can be found at the SAP Cloud ALM expert portal:

SAP Cloud ALM license

According to this SAP blog, the use of SAP Cloud ALM is part of the general SAP license, just like SAP solution manager. It’s use is free of license cost, but off course, time you need to spend on implementation and activation is not.

SAP GUI default change to Edge

After upgrading to SAP GUI 7.70 you can change the default browser from Internet Explorer to Edge.

More on SAP support for browsers in general can be found in this blog.

Prerequisite: install WebView2

First read OSS note 2913405 – SAP GUI for Windows: Dependencies to browsers / browser controls. This note describes the need for you to download and install the Microsoft WebView2 framework:

Impact of WebView2: 2901278 – SAP GUI HTML Control based on Chromium Edge: Legacy HTML does not work (correctly) / present limitations.

Switch browser setting for SAP GUI

Now you can go to the settings of you SAP 7.70 GUI and change the default browser in the Interaction Design/ Control Settings:

If fallback to Internet Explorer is still required, read this note: 2957665 – SAP GUI HTML Control: Browser Control Fallback Configuration.

In case the option is locked: 3191784 – Edge (based on Chromium) HTML control option is locked in the SAP GUI Control Settings.

If you need to build a workstation package with the default Edge setting, read this OSS note: 3221242 – How to set the Edge (based on Chromium) as the default browser control in single file Installer aiming SAP GUI distribution on multiple workstations.

Switch browser setting for SAP Business Client

For SAP business client the settings are in the Settings/Browser section:

Here you can choose the browser and download location to be used.

Chromium security updates

There might be a lot of hotnews and security OSS notes on the Chromium part. Main OSS note: 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client.

OSS notes

Relevant OSS notes:

Relevant blogs on browsers and SAP web technology

More blogs on browsers and browsing technology:

  • HTTP/2 support for FIORI and ABAP web applications: read this blog.
  • TLS v1.2 setup in ABAP system: read this blog.
  • Webadmin pages disablement: read this blog.
  • More on SAP support for browsers in general can be found in this blog.
  • How to check HTTP usage in your system: read this blog.
  • FIORI gateway timeout settings: read this blog.
  • FIORI cache refresh: read this blog.
  • FIORI gateway tips and tricks: read this blog.
  • Webdynpro Unified Rendering updates: read this blog.

Reducing S4HANA upgrade downtime: ZDO, zero downtime option

Next to nZDTM (near zero downtime) there is now a new option called ZDO (Zero Downtime Option). This new option even further reduces the downtime of an upgrade to a newer version.

The ZDO option is primarily available for S4HANA upgrades (for example upgrade from S4HANA 2020 to S4HANA 20201), but is also available for products based on the same ABAP version, like SAP Focused Run.

How does the ZDO work?

ZDO is the next evolution of the shadow system. Now not only the code is duplicated, but also the data and settings. This is done in a so called bridge system. Postings are duplicated in the main and in the bridge system.

In this way the business downtime is further reduced:

A ramp down, restart and ramp up is still required.

Technical background

All the technical background and restrictions are listed in OSS note 2707731 – Prerequisites and restrictions of Zero Downtime Option of SUM for SAP S/4HANA and training ADM330e.

The note states as well that the basis person must have followed the training ADM330e before the customer is allowed to perform the ZDO option. The option is released for customer, after training. Why is training required? The option is technically very nice, but also complex (updates are done in both the old and new release). The restrictions and execution must be done correctly and in high quality fashion. This cannot be done without proper training.

You should also do a full dress rehearsal of the ZDO upgrade including people posting data in the system during the bridge phase.

The most common use case is an S4HANA upgrade. But the ZDO upgrade can be used in other used cases as well. For example SAP Focused Run can also be upgraded with ZDO. There are special notes, instructions and restrictions: 3269755 – SAP Focused Run 4.0 Support Package 00 – Update Preparation and Postprocessing Documentation. Check the notes carefully for your specific use case.

Memory

ZDO will use more memory since it will have 2 database schemas. Check and monitor this carefully on your test upgrades and extrapolate to production. A ZDO upgrade does require a test run on full production copy size.

Execution of ZDO issues

During execution of ZDO, you will get far more issues and errors as compared to the downtime optimized scenarios. For this reason, the first ZDO upgrade you execute should be on a sandbox system. Preferably as a copy of your productive system. You will learn a lot of things on the sandbox upgrade, to make the real upgrade later on go smooth.

Addons

Some addons might block the upgrade. Some can still be allowed in the upgrade, but cannot be upgraded along with the upgrade and have to remain at the same version. At the bottom of note 2707731 there is an always up to date excel file containing the Allow List for addons.

OSS notes in ZDO checks phase

During the prechecks and later even in shadow system build up, SUM will come with list of OSS notes that need to be applied in main system or in shadow.

For the real upgrade: already apply all the notes on the development system before the upgrade and transport these to production.

Database inconsistencies

All database inconsistencies must be resolved. Repair via SE14, see blog.

BI system settings

ZDO is currently only supported for embedded BI scenario. This might mean you need to get help from your BI team on de-activating some BI content.

To find out what is blocking: go to transaction SE24 and enter class CL_RS_UTILITIES. Start the test tool and launch method GET_SYSTEM_SCOPE. If the answer is DATA_WAREHOUSE, this will block the upgrade. Use your debug skills (or ask ABAP developer) to see which items are throwing roadblocks. Then de-activate or delete that content (with help of your BI team).

Old HANA transport containers

Some old HANA content might block the ZDO upgrade. Read more on this in OSS note 2982320 – HTA for HDI: Error in execution of HDI call: insufficient privilege. Steps to solve: repair privileges on the ABAP HANA user. Run program SCTS_HTA_ADMIN in repair mode.

Background

Background blog from SAP: read here.

Exit mobile version