Sometimes you will find yourself in the situation that you need to stop an SAP Dialog Instance while the Central Instance and Message Server are still running. This can be tricky, but you can avoid any disruptions in service or failed processes if you follow these easy steps:
1. Run transaction SMMS, choose the Dialog Instance you need to stop, and select Goto > Expert Functions > Servers > Deactivate. This will put the instance in passive mode, which prevents any new processes from being started on that instance. This can also be done from transaction SM51 by choosing the instance and selecting Goto > Server Name > Administration > Deactivate.
2. SM66 will now no longer show any active processes on that instance, however this is because your session cannot get to that instance while it is deactivated. You will need to watch the ABAP Work Process Table from the SAP MMC Management Console. When all the processes are idle, then it is safe to stop the instance.
3. Be sure to ONLY stop the dialog instance or you will kill active processes.
Keep in mind if you only have a single Dialog Instance, you will be effectively halting all system access, so it is best to only do this if you have multiple Dialog Instances in you landscape and logon groups.
You will also want to keep in mind that any user sessions already on that instance will still be attached to that instance, so when you stop the instance their sessions will be lost. You will first want to have users connected to that instance log out and back in so that they connect to one of the Active instances.
When you start the instance back up, it should automatically go back into Active mode, so you will just need to verify that in SMMS or SM51.
Hope this helps...
Wednesday, November 6, 2013
Thursday, October 3, 2013
Enable or Disable Transparent Data Encryption (TDE)...
Transparent Data Encryption
(TDE) is one of the options to protect your data available wih SQL2008. This
encrypts your database, data files, transaction log, and the backup files
created for your database. Keep in mind,
however, that this has been known to cause a 20-25% increase in processor load
and a significant performance hit. But
if your number 1 priority is encrypting your data, this is one option.
Enabling TDE Encryption
The following SQL commands
will get TDE setup in your SQL2008 database. You must have a certificate and
private key already generated for this.
Like many sites, you can use the same certificate and private key for
all of your SQL2008 Databases.
--- SET
ENCRYPTION
USE master;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'password'
GO
CREATE CERTIFICATE tdeCert
FROM FILE = 'path to certificate file'
WITH PRIVATE KEY (FILE = 'path to private key file',
DECRYPTION BY PASSWORD = 'password');
GO
USE DBNAME
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE tdeCert;
GO
USE master;
ALTER DATABASE DBNAME
SET ENCRYPTION ON;
GO
After this command, you can
check the status of the encryption of the database with the below query.
--- CHECK
ENCRYPTION STATUS
USE master
SELECT
database_id, encryption_state, percent_complete
FROM sys.dm_database_encryption_keys;
GO
Now you’re all set.
Disabling TDE Encryption
The following process will
get TDE removed from your database, after you have determined the performance
hit is too much, or the novelty of having an encrypted database has worn off.
Removing TDE is basically
the reverse of enabling it, however you will need to wait between steps.
--- REMOVE
ENCRYPTION
USE master;
ALTER DATABASE DBNAME
SET ENCRYPTION OFF;
GO
This will make the database
start the decryption process. Use the query below to check the status of the
decryption process.
--- CHECK
ENCRYPTION STATUS
USE master
SELECT
database_id, encryption_state, percent_complete
FROM sys.dm_database_encryption_keys;
GO
You may need to truncate the
transaction log, or shrink the log file, if the encryption state stays at 2 with
percentage 0 for a long period of time. Then stop/restart the SQL Server
instance. When your server is back up re-run the above query to see the
complete decryption status. This second time will run much faster.
Once the process completes
and the database_id you are decrypting is no longer encrypted (will show encryption state 1 when complete), you can go on to the encryption key removal.
--- REMOVE THE
ENCRYPTION KEY
Use DBNAME
DROP DATABASE ENCRYPTION KEY
GO
Now simply remove the master
key.
--- REMOVE THE
CERTIFICATE AND MASTER KEY
USE master
DROP CERTIFICATE tdeCert
DROP MASTER KEY
GO
Hope this helps...
Tuesday, October 1, 2013
Using Message Server Logon/Load Balancing with SICF Services, Including NWBC…
I know a lot of you have run into this issue in the past:
You are using BSP’s or other services, or NetWeaver Business Client, and you
have outgrown the single application server landscape. The simple solution is to implement
additional application servers, right? Well yes, but if you were not using
logon balancing before, it may be a bit tricky to figure out what all needs to
be done in order to utilize these new application servers from the end user
standpoint.
Using the Message Server’s built-in logon balancing function,
you can get this done in a matter of minutes.
Pre-requisites:
- - You have already installed the new application
servers and connected them to the Central Instance.
- - Message server ports must be configured for
access.
- - SNC must already be setup in order to utilize
HTTPS load balancing
First, you will need to go into transaction SMLG and create at least one logon group and assign an
application server to it. I like to have a few of these so that when a client’s
system grows it is simple to spread out the load. You will want to name it
something that you will be able to easily identify, like say NWBC. Once this is
created, then create another one with the exact same name (case sensitive) and
assign another application server to it.
In the Properties tab for the logon group
you can set it to use the balancing logic Round Robin, Best Performance,
Probability, or Weighted Round Robin.
Once you have all the instances you want assigned to the logon group,
you are ready to configure the service to use it.
Next, go to transaction SICF and double click the service
you wish to take advantage of load balancing. In the Service
Data tab, select your logon group from the Load
Balancing dropdown field, and save. You can double check that logon
balancing is activated for this service in transaction SMMS.
If you want to assign all activated services to the same logon group, you can
assign the group to the top level default_host
service, but I would not recommend it unless you are sure you will always use
this logon group for all services.
Now all you need to do is make sure end users are logging
into these services through the message server port rather than a direct link.
The default message server port is 8100 (or 44400 for HTTPS), so your URL link
to be used should be http(s)://message_server:8100/service_path.
You will also want to make sure that the URL in the users’ NWBC desktop client
is changed to point to the message server rather than a direct link to the
application server.
Hope this helps…
Thursday, January 31, 2013
Ignore Password Expiration when authenticating with SSO
One of the most annoying things
about having multiple systems within an SAP environment is the fact that people
have to remember passwords for every component system within the landscape.
SSO resolves this problem, for the
most part, but there's still that annoying little fact that initial passwords
must be changed at first login, and passwords may be set to expire every so
often.
Well, you're options for avoiding
these problems are as follows:
1. Deactivate passwords
2. Have the component systems
ignore expired passwords when utilizing SSO
Option 1 is great, if your users
will never need to enter a userID and password. This puts the entire
authentication burden on some other application (like Active Directory).
But this is not necessarily the right solution for all clients.
Option 2 is what I choose,
primarily. In order to do this, you need to set profile parameters in all
ABAP and Java systems in your landscape.
For the ABAP systems set the
following profile parameter:
login/password_change_for_SSO
This profile parameter determines precisely
how the system will react in the situation in which a user accesses the system
through SSO and their password is expired (or initial). Here are the
values:
0 =
Ignore password change request, and allow access
1 =
Present a pop-up window with options 2 and 3 below
2 =
Require the password be changed, including old password and new password
3 = Deactivate the password
This is a dynamically switchable parameter and can be turned
on in RZ11 without the need for a restart, though you will have to modify the
profile to make the change permanent.
For the Java systems, open Visual Administrator, and under
the UME Provider service, set the following parameter to False:
ume.logon.force_password_change_on_sso
This is not dynamically switchable and will require the
cluster to be restarted.
Now both your ABAP and Java systems will ignore expired
passwords.
Hope this helps…
Monday, January 28, 2013
NetWeaver Portal not behaving with Internet Explorer SSL and TLS settings…
NetWeaver Portal not behaving with Internet Explorer
SSL and TLS settings…
Recently on a
client site we ran into issues with the internal users being unable to connect
to the portal while using the same SSL (3.0) and TLS (1.0, 1.1, or 1.2) settings necessary for other SAP
or 3rd party applications. This
may be related to Microsoft security updates KB2585542 and KB2618444, though
the client does not have record of applying these.
This is specific to Internet Explorer 8 or higher.
This is specific to Internet Explorer 8 or higher.
The errors you
may receive include “connection timed out” and “page cannot be displayed”
though others have seen spurious other generic error messages.
There
are two possible solutions:
1.
Update your AS Java to the latest Support Package. Unfortunately this was not an option at this
client site, so we had to go with the work-around below.
2. To implement the workaround change the SSL server configuration as follows:
- Open Visual Administrator and log in
- Select Dispatcher -> Services -> SSL Provider
- Select the line with port number corresponding to your web server (default 5xx01)
- remove all cipher suites except the following:
SSL_RSA_WITH_RC4_128_SHA
Keep in mind, if you implement this work-around, remember to add the appropriate TLS cipher suites back when you update AS Java.
2. To implement the workaround change the SSL server configuration as follows:
- Open Visual Administrator and log in
- Select Dispatcher -> Services -> SSL Provider
- Select the line with port number corresponding to your web server (default 5xx01)
- remove all cipher suites except the following:
SSL_RSA_WITH_RC4_128_SHA
Keep in mind, if you implement this work-around, remember to add the appropriate TLS cipher suites back when you update AS Java.
Hope
this helps…
Sunday, January 20, 2013
SYSTEM_NOT_CONFIGURED_AS_XMB...
Typically when you get this message in SAP PI, it means that the system you are trying to send a message to is not setup to receive the message. The way to correct this error is to go on the receiver system an set the Integration Engine Configuration in transaction SXMB_ADM.
Go to Edit >> Change Global Configuration Data.
Role of Business System: Application System
Corresponding Integ. Server: dest://[Integration Server RFC destination]
Save and retry.
Keep in mind that if you are doing this with messages from SRM to SUS (and SUS is a separate client on your SRM system) you will need to configure this in both clients.
Hope this helps...
Go to Edit >> Change Global Configuration Data.
Role of Business System: Application System
Corresponding Integ. Server: dest://[Integration Server RFC destination]
Save and retry.
Keep in mind that if you are doing this with messages from SRM to SUS (and SUS is a separate client on your SRM system) you will need to configure this in both clients.
Hope this helps...
Tuesday, January 8, 2013
SUS contact person password change is not synchronized to SRM…
The scenario is this: A temporary SUS
user that was previously created through the self-registration process logs in
and creates his permanent SUS user ID. At that point, the SUS user is created
and it is synchronized to SRM, with an identical initial password. When the SUS user logs in for the first time,
he is prompted to change his password.
This is fine, and operates as expected. However, once this same user
attempts RFx functionality (or any other function that makes a call to the SRM
backend) the user is prompted again to change his password. The confusion caused here is the password
that needs to be changed is the original initial password from the SUS user
creation, not the current SUS user password. From the user standpoint, they do
not know this because it is not intuitive that they are passing from one system
to another.
SAP has come out and said in note
1802240 that the password is not synchronized by design. I will not venture to guess as to the
reasoning behind this, however in researching ways to fix this from a
functional standpoint for my customer I came across a very simple solution.
I was looking at our options, and came
up with these:
1.
We could change the creation logic
with a Z program to force the password to be deactivated in the SRM system when
the user is created.
2.
We could change the synchronization
function modules with a Z program that includes the logic to force the password
change to be included with other user details when the synchronization occurs.
3.
We could just do nothing and provide
detailed instructions for the customers on how to work with this design defect.
Each of these potential solutions also
brought with them their own drawbacks, especially option 3, but each are valid
solutions. However, I ran across am
option 4 that never occurred to me before.
I came across the following profile parameter
login/password_change_for_SSO
This profile parameter determines
precisely how the system will react in the situation in which a user accesses
the system through SSO and their password is expired (or initial). Here are the values:
0 = Ignore password change request, and allow access
1 = Present a pop-up window with options 2 and 3 below
2 = Require the password be changed, including old password and new
password
3 = Deactivate the password
So, the solution that was best for
this customer was to choose option 0, which will allow the user access through
SSO and not prompt for the password to be changed. The customer loved the solution, and I will
certainly add it to my bag of tricks.
Hope this helps…
Monday, January 7, 2013
Connecting two BW systems to the same ECC system...
Connecting two BW systems to the same ECC system (or any other SAP system) is (normally) very easily accomplished. You simply create a source system connection to the ECC system (or other SAP system) in RSA1 on each BW system. Simple.
However, where this becomes difficult is if one of your BW systems was built as a system copy of the other BW system. Let's say you want your Training BW system to point to the same ECC system as the QA training system, and your Training system is a copy of your QA system.
When you try to restore the Source System connection in RSA1, the process will prompt you to delete the existing connection on the Source System side. That works fine for the BW system that you are setting up at that time, however it severs the connection to the existing BW system. I could go into great detail on why this occurs, but I am sure most of you are looking for a solution and want it quick.
So, here's the solution (all steps are performed on the new BW system unless noted otherwise):
1. Execute SM59 and delete the RFC connection to the Source ECC system (or other SAP system).
2. Execute RSA1 and delete the Source System definition
3. Execute RSA1 and create a new Source System definition, utilizing a different USERID for the RFC than what was previously used, since that user ID will already exist in the Source System and is tied to the existing BW connection. Keep in mind you will have to have the ECC client opened for changes in order to activate the connection.
Now both the original BW system and the newly copied BW system can connect to the same ECC system.
Hope this helps...
However, where this becomes difficult is if one of your BW systems was built as a system copy of the other BW system. Let's say you want your Training BW system to point to the same ECC system as the QA training system, and your Training system is a copy of your QA system.
When you try to restore the Source System connection in RSA1, the process will prompt you to delete the existing connection on the Source System side. That works fine for the BW system that you are setting up at that time, however it severs the connection to the existing BW system. I could go into great detail on why this occurs, but I am sure most of you are looking for a solution and want it quick.
So, here's the solution (all steps are performed on the new BW system unless noted otherwise):
1. Execute SM59 and delete the RFC connection to the Source ECC system (or other SAP system).
2. Execute RSA1 and delete the Source System definition
3. Execute RSA1 and create a new Source System definition, utilizing a different USERID for the RFC than what was previously used, since that user ID will already exist in the Source System and is tied to the existing BW connection. Keep in mind you will have to have the ECC client opened for changes in order to activate the connection.
Now both the original BW system and the newly copied BW system can connect to the same ECC system.
Hope this helps...
Subscribe to:
Posts (Atom)