WDEBU7 Workshop

Chapter 05

nw2004s WAS Settings BI

Roland Kramer Rampup Coach nw2004s SAP Switzerland

© SAP AG Delta 7 Course Overview - 1

 WAS 7.00 Settings for SAP BI 7

Contents:
„ Overview BI Customizing
„ Instance profile parameter
„ Internet communication monitor
„ SSO configuration
„ Web basis tree configuration
„ Web tuning suggestion
„ Example customer portal
„ Web printing extension
„ Web browser settings

© SAP AG 2003, Setup BI 7, Roland Kramer / 2

© SAP AG Delta 7 Course Overview - 2

 Checking the Web Reporting Settings in SPRO

© SAP AG 2003, Setup BI 7, Roland Kramer / 3

Additional Notes for the WAS settings and the web Reporting:
y Note 434918: DNS configuration for BSP Applications on W2K
- icm/host_name_full = server.domain.ext
- http://server.domain.ext:1080/sap/bc/bsp/sap/it00/default.htm
y Note 550669: Compressed transfer of BI web Applications
y Note 561792: Client-sided caching of image/gif files
y Note 517484: Inactive services in the Internet Communication Framework
y Note 529793: Missing error text in the Internet Explorer browser
y Note 622130: Timeout problems in BI web Applications
y Note 619884: Integration of BSP applications in BI web Applications
y Note 498936: Log on/password change in web with BI3.0B or higher
y Note 516884: Anonymous logon with BI 3.0A/B and SAP web App. Server
y Note 517860: Logging on to BSP applications (Check the Documents in the
Append of the Note)
y Note 434918: DNS configuration for BSP Applications on Windows 2000
y Note 616900: BSP FAQ -- Frequently Asked Questions
y Note 677118: SP31-> Fully Qualified Domain Names Check

© SAP AG Delta 7 Course Overview - 3

 Checking the WAS Parameters with RZ10

© SAP AG 2003, Setup BI 7, Roland Kramer / 4

Binding Ports Lower Than 1024 on UNIX

„ With the Internet Communication Manager (ICM) you can bind ports with numbers 0 up to and
including 1023 (well known ports) on Unix systems too. The external binding program
icmbnd included in the standard delivery is used for this.
„ Usually the ICM itself binds the ports. If you want to use icmbnd to bind configured ports,
change the parameter specification for icm/server_port_<xx> in the profile (transaction RZ11).
Integration
„ On Unix systems only users with superuser authorizations can bind ports with numbers lower
than 1024. For this reason either the ICM process must be provided with these authorizations,
or the port must be bound by an external program and then the listen socket transferred to the
ICM.
Activating External Binding
„ To ensure the ICM itself does not attempt to bind the port, you specify an additional option
when you are configuring ports with icm/server_port_<xx>: EXTBIND=1
„ The format of this parameter is:
„ icm/server_port_1 = PROT=HTTP, PORT=8080, TIMEOUT=30, EXTBIND=1
„ Usually icmbnd is called directly from the ICM, though the program can also be called from
external systems to make new ports known to the ICM. icmbnd can also be used to bind
ports >= 1024, but then the startup time of the ICM is longer.
„ icmbnd is also available for Windows. As the user <sid>adm can bind any number of ports
on this system, there is no need to use the icmbnd here.

© SAP AG Delta 7 Course Overview - 4

 Obsolete Parameter icm/plugin_<xx>

Also note that the extension “EXTBIND=1” is still valid for Web AS 7.00.
So you can bind ports lower than 1024 on UNIX without any restrictions.

© SAP AG 2003, Setup BI 7, Roland Kramer / 5

icm/plugin_<xx>
„ This parameter is used to specify the protocols supported by the ICM.
„ <xx> must be specified in ascending order from 0. A protocol is specified by the name of
the protocol (for example, HTTP, HTTPS) and a shared library (plug-in) for the protocol.
The plug-in can be associated with the parameter icm/server_port_<xx> at one or
several ports
icm/server_port_<xx>
Use
„ You can use this parameter to specify the service/port that is to be used for a protocol.
Either the service name or the port number can be specified.
„ You can also determine additional service properties. This is described in the procedure
below.
Prerequisites
„ A plug-in for the protocol must be specified in the parameter icm/plugin_<xx>, as
otherwise the service cannot be started. There cannot be more than one service
allocated to a single port. Also, a service cannot be started if another program is using
the port or service.

© SAP AG Delta 7 Course Overview - 5

 Checking the ICM Manager with Transaction SMICM

Also see note

308977 for
additional errors.

© SAP AG 2003, Setup BI 7, Roland Kramer / 6

Monitoring the Status of the ICM

Use
„ The ICM monitor provides various functions for monitoring the status of the ICM and for
detecting any possible errors.
Functions
„ You can find the functions described here in the Go To menu.
Trace files
„ To display or reset the trace file dev_icm, choose Go To → Trace file or Go To → Trace
Level. You can also set the trace level here (values can be between 0 and 3; the default
is 1). You can also display just the start or the end of the file (the first or last 1000 lines).
This is a very useful function for large files. Choose Goto → Trace file → Display start or
Display End.
„ If you want to view the trace file of the external binding program icmbnd, choose Goto →
Trace file → Display Dev_icmbnd.
Parameters
„ Choose Goto → Parameters to display or change the ICM profile parameters. If you
choose Change, you can display the RZ11 documentation for every parameter that is
executed by placing the cursor on the parameter name and choosing Documentation.
„ The value field is ready for input for those parameters that can be changed dynamically.
„ Note that with dynamic changes, these are lost the next time the instance is started.

© SAP AG Delta 7 Course Overview - 6

 Checking the Patch Level of the ICM

© SAP AG 2003, Setup BI 7, Roland Kramer / 7

„ The Transaction SMICM (ICM Monitor) is in comparison with SM51 (Instance Overview)
and it contain also a work process Overview. The Advantage in the SMICM is that you
can restart the ICM without restarting the SAP Instance (no bounce of the system).
„ For the ICM Usage in the web Application Server it in mandatory to update the basis
Kernel 7.00 regularly, e.g. the Released Kernel support Stacks. The ICM get his updates
together with the Kernel Patches.
Please check also the interfere between Kernel and ICM. In the 6.x it happened
sometime that Kernel patches produced errors in the web interface.

Additional Notes for Settings/Performance of the integrated ITS:

„ Note 705013 - Timeout for ICF services based on ITS
„ Note 885580 - Integrated ITS: Configuration Parameters
„ Note 890601 - SAP Integrated ITS updates for NetWeaver 2004s (7.00)
„ Note 901250 - Integrated ITS, mimes cache control: max-age

„ Note 746666 - OutOfMemory due to http response compression

„ Note 910285 - WebAS Java 7.00 SP06 - List of corrections
„ Note 1031733 - Http transmission of XI messages with huge payload fails

© SAP AG Delta 7 Course Overview - 7

 Checking the Prerequisites for SSO

„ See the SAP Help Portal http://help.sap.com for more details

‹ http://help.sap.com/saphelp_nw04/helpdata/en/e1/8e51341a06084de100
00009b38f83b/frameset.htm Î Architecture of the SAP WAS
‹ http://help.sap.com/saphelp_erp2005/helpdata/en/e3/e86878c8204acc85
6d8d5da4a54fa4/frameset.htm Î Administration When Using Logon
Tickets
„ Set the parameter SECUDIR=/usr/sap/<SID>/<instance>/sec
for the user <SID>adm
„ Download the SSO libraries from the SAP Marketplace
http://service.sap.com/swdc or http://service.sap.com/tcs

„ Check the SSO configuration with transaction STRUSTSSO2

‹ System PSE and Certification List
‹ Go to Menu Î Environment Î Display SSF Version
‹ Go to Menu Î Environment Î SAP Logon Ticket Î check with RFC
destination NONE

© SAP AG 2003, Setup BI 7, Roland Kramer / 8

„ Here on this page you see the Steps to check the SSO configuration for the WAS web
reporting for BI.
By Default, only HTTP is active you will get a prompt from your web browser as soon
you want to log on to your WAS Server with http://server.domain.ext:<port>. The
Disadvantage is, that you only get two fields: Username and Passwords. If you want to
have additional Functionality like Language field or changing Password you need to
enable the SSO configuration on the system.
„ This configuration is also the necessary Pre Requisites to integrate the BI system into
the EP 7.0 Portal.
„ Note 888687: BEx Web Java: Analysis of communication/logon problems
„ Note 817529: Checking the SSO configuration
„ Note 838097: Follow-up after installation/upgrade of ERECRUIT 600

© SAP AG Delta 7 Course Overview - 8

 Installing SSO Libraries in the System (Note 662340)

Copy the ticket to folder /usr/sap/<SID>/DVEBMGS<Nr>/sec

Copy the libraries to folder /usr/sap/<SID>/SYS/exe/run

„ Make sure the libraries are accessible before restarting the system
(chmod 775), otherwise errors will occur with the SSO.
© SAP AG 2003, Setup BI 7, Roland Kramer / 9

See also the following Release Notes:

„ Note 455033: SAPCRYPTOLIB versions, bugs and fixes
„ Note 817529: Checking the SSO configuration
„ Note 871671: SAPCRYPTOLIB 555pl17: Misc. fixes, important MS-Windows fix
„ Note 836367: SSF PSEs: Setting algorithm and key length
„ Note 1042745 - SAPCRYPTOLIB 555pl19 PKCS#1, 710+, PSE(v4)
„ Note 1047610 - SAPCRYPTOLIB 555pl20: two regression fixes for pl19

„ The libraries are available from the SAP service Portal http://service.sap.com/swdc.
There are also some updates for the secure library available at the kernel section in the
service Portal http://service.sap.com/patches
„ Please note that the files on the UNIX based system needs enough permissions,
otherwise the SSO will not be enabled. This is also valid for Windows based systems
(no read only permission).
If you forgot to change the permission after you restarted the system, you have to stop
the SAP system and change the permission before SAP is restarted. You will have no
effect when you only restart the ICM service.
„ The SMTP service will be used for various reason like in SEM or in the process chains
for BI. It is also used together for the Information Broadcasting, the new feature of BI 3.x
and above.

© SAP AG Delta 7 Course Overview - 9

 Creating the SSL Tickets with STRUSTSSO2

© SAP AG 2003, Setup BI 7, Roland Kramer / 10

Some more Informations about SSL/SSO:

„ Check the library sapcrypto.<ext> (o, so, sl, dll) if you are using the latest version which
you can download from http://service.sap.com/patches.
You must use a s-user ID for the download. See notes 508307 and 354819 for details.
The library must have 775 or on W2K read permission before restarting SAP.
„ Check for the right parameters in the SAP instance profile (Example Windows):
y sec/libsapsecu = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll
y ssl/ssl_lib = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll
y ssf/ssfapi_lib = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll
y ssf/name = SAPSECULIB
„ Check with the transactions:
y STRUST - Trust Manager
y STRUSTSSO2 - Trust Manager for Logon Ticket

© SAP AG Delta 7 Course Overview - 10

 Import the Server Certificate (Note 510007)

© SAP AG 2003, Setup BI 7, Roland Kramer / 11

More Information can be found in the following Notes:

„ Note 836367: SSF PSEs: Setting algorithm and key length
„ Note 578377: Digital signatures with SAPCRYPTOLIB
„ Note 745103: Problem analyze with HTTPS-Communication
„ Note 817529: Checking the SSO configuration
Configuration check
„ SAP delivers the sso2test.htm BSP application. You can use this application to check
whether an SSO2 cookie can be created.
„ Start Transaction SE80
y 'SYSTEM' BSP application
y Pages with flow logic
y Right-click on sso2test.htm
y Test
y Follow the instructions on the screen
„ You can also execute the following JavaScript command from the address bar of your
Internet browser to check whether an SSO2 cookie currently exists:
javascript:alert(document.cookie);
„ As a result, all current cookies are issued in an alert box. If an SSO2 cookie exists, an
entry would have to exist that begins with 'MYSAPSSO2=....'

© SAP AG Delta 7 Course Overview - 11

 Add NWEP System in Access Control List (ACL)

Note:
for Double stack
Installations the
CN must be dif-
ferent and the ACL
points to the Issued
System with client
000 (“EP default”)

© SAP AG 2003, Setup BI 7, Roland Kramer / 12

„ This Configuration step is done automatically, if all pre requisites are fulfilled to
start and run the NetWeaver Administrator Template Installer (CTC).
System parameter/settings
y login/accept_sso2_ticket = 1
y login/create_sso2_ticket = 2
y icm/host name full
„ To enable the Internet browser accept the SSO2 cookie, you must enter a fully qualified
host name in accordance with notes 434918 and 654982.
y SAPSECULIB / SAPCRYPTOLIB
„ You must use the SAP Security Library or the SAP Cryptographic Library.
y Transaction STRUST
y Transaction STRUSTSSO2
„ In this transaction, you define which systems are meant to accept logon tickets. This is
necessary, for example, when you want to access data from one system of a BI
application to another application of another system, without having to log on again.
y Documentation http://service.sap.com/security
„ https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-
0a01-0010-d5a9-9cb9ddcb6bce
(New improved security features with nw2004s)

© SAP AG Delta 7 Course Overview - 12

 Checking the Correct Start of the SSO Configuration

© SAP AG 2003, Setup BI 7, Roland Kramer / 13

### nw2004s WAS Parameters 7.00

„ rdisp/start_icman = TRUE
„ icm/conn_timeout = 10000
„ icm/HTTP/max_request_size_KB = 102400
„ icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR=d:\usr\sap\N4S\DVEBMGS01\data\cache
„ icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=./admin
„ icm/HTTPS/verify_client = 1
„ icm/server_port_0 = PROT=HTTP,PORT=80$$,TIMEOUT=60,PROCTIMEOUT=900
„ icm/server_port_1 = PROT=HTTPS,PORT=82$$,TIMEOUT=60,PROCTIMEOUT=900
„ icm/server_port_2 = PROT=SMTP,PORT=25$$,TIMEOUT=60,PROCTIMEOUT=900
„ icm/host_name_full = PWDF2142.wdf.sap.corp
„ icm/keep_alive_timeout = 60
„ icm/listen_queue_len = 512
„ icm/max_conn = 300
„ icm/max_sleep = 2000
„ icm/max_threads = 30
„ icm/min_threads = 10
„ is/SMTP/virt_host_0 = *:25$$
„ is/HTTP/show_detailed_errors = 1
„ login/accept_sso2_ticket = 1
„ login/create_sso2_ticket = 2
„ mpi/total_size_MB = 120
„ mpi/max_pipes = 4000
„ ssl/ssl_lib = d:\usr\sap\N4S\DVEBMGS01\exe\sapcrypto.dll
„ sec/libsapsecu = d:\usr\sap\N4S\DVEBMGS01\exe\sapcrypto.dll
„ ssf/ssfapi_lib = d:\usr\sap\N4S\DVEBMGS01\exe\sapcrypto.dll
„ ssf/name = SAPSECULIB

© SAP AG Delta 7 Course Overview - 13

 Usage of the SAP Web Dispatcher (note 538405)

© SAP AG 2003, Setup BI 7, Roland Kramer / 14

„ See online help http://help.sap.com/saphelp_nw04/helpdata/en/

7c/d55316da1843669b0e5ef000e3517f/frameset.htm for more details of the
configuration.
Setting Up the web Administration Interface
„ You have package ICMADMIN.SAR. To find out where to find it or to get the latest version
in the actual DW* 7.00 package which you can download from the SAP service portal. It is
downwards compatible to 6.20.
Procedure ...
„ 1. Define the parameter icm/HTTP/admin_<xx> in the ICM profile in the line:
icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=./admin,HOST=xxx
This sets the URL prefix for the administration to /sap/admin and the path for the ICP
control files to./admin.
„ 2. Specify this port with icm/server_port_<xx> as the ICM port.
„ 3. Create an administration user as described under Creating Administration Users. The
authorization file icmauth.txt will be generated.
„ 4. Make sure that file icmauth.txt (the file name can be named something else in
icm/HTTP/admin_<xx>) exists in the work directory.
„ 5. Unpack package icmadmin.SAR with the ICP control files into a subdirectory with the
name admin, by calling SAPCAR -xvf icmadmin.SAR admin.
Result
„ You can now use the web Administration Interface.

© SAP AG Delta 7 Course Overview - 14

 Checking the BSP Services with Transaction SICF

© SAP AG 2003, Setup BI 7, Roland Kramer / 15

„ Note 517484 - Inactive services in the Internet Communication Framework

„ This is the overview web tree for the web services.

y Black indicates that the service is active
y Grey would indicate that the service in inactive
y Blue indicates that the service is active, but the underlying service is still inactive. Use
the Feature to activate all underlying services also (Recommended way even when no
service is under the active service.)
„ Note that for the SEM cockpit and for the WAS standard login also some services in the
basis section had to be active.
„ The alias public should also turned to be active
„ You can also define your own aliases to have shorter web URL’s,
e.g. /sap/BW/BEx Î /web

© SAP AG Delta 7 Course Overview - 15

 Checking the BI Service with Transaction SICF

© SAP AG 2003, Setup BI 7, Roland Kramer / 16

„ Please make sure that the whole tree in BI has a active compression flag, especially the
sap/BI/bex and the sap/BI/Mime tree.
You can do this once and transport this settings through your system Landscape
„ Please note that sometime corrections in the basis support packages an deactivate the
service by accident. Than you simply have to turn the service back to active.

© SAP AG Delta 7 Course Overview - 16

 Testing the BEx Service with Transaction SICF

© SAP AG 2003, Setup BI 7, Roland Kramer / 17

„ When you change something in a service, the service keeps active all the time. You don‘t
have to restart the service.
„ The Button „Test Service“ switches directly to the web output without having a web query
ready.
„ http://server.domain.ext:<port>/sap/bw/bex?sap-language=DE&template_id=0ANALYZER
„ Note 970002 - Which BEx Analyzer version is called by RRMX?
y Transaction RRMX_CUST
„ Note 966043 - BEx Analyzer: Calling queries with RRMXP

Test Java HTTP:

„ SE38 Î RS_TEMPLATE_MAINTAIN_70 Î 0ANALYSIS_PATTERN Î Test Web

Test Abap HTTP:

„ SE38 Î RS_TEMPLATE_MAINTAIN Î 0ANALYSIS Î Test Web

© SAP AG Delta 7 Course Overview - 17

 Activating the SMTP Host (SEM related)

© SAP AG 2003, Setup BI 7, Roland Kramer / 18

„ The marked Option activates also the underlying service (Recommended). Please use
this Option whenever Possible.

© SAP AG Delta 7 Course Overview - 18

 Checking the Web Protocol (RSCUSTV15)

„ See note 512337 for more details.

„ If you wish to switch to HTTPS and SSO access, please consult the
notes 510007 and 391953 in advance.

© SAP AG 2003, Setup BI 7, Roland Kramer / 19

„ The Default Setting is HTTP. In most of the cases there is no Change to HTTPS
necessary. However enabling the full HTTPS Environment is always possible with this
configuration.

© SAP AG Delta 7 Course Overview - 19

 IE 6.x Explorer Settings for Cashing Data

© SAP AG 2003, Setup BI 7, Roland Kramer / 20

© SAP AG Delta 7 Course Overview - 20

 WAS 7.00 Settings for SAP BI 7: Unit Summary

You should now be able to:

z Apply the settings required to enable the WAS
functionality for SAP BI
z Show how to handle the internet communication
manager
z Configure the web basis tree for SAP BI
z Tune the SAP BI Web Reporting
z Do the necessary web browser settings to enhance
web Reporting

© SAP AG 2003, Setup BI 7, Roland Kramer / 21

© SAP AG Delta 7 Course Overview - 21