Saturday, May 10, 2008

SAP Load Balancing and Work Processes Troubleshoot

SAP Load Balancing and Work Processes Troubleshoot
SAP Load Balancing and Work Processes Troubleshoot

The benefit of segregating user groups by line-of-business (using logon groups) is related to the point that groups of users (like SD users or HR users, for example) tend to use the same sets of data. They (generally) work with the same groups of tables and hit the same indexes using the same programs (transactions).

So, if you can group all of the users hitting the same tables, onto (or one set of) App server(s), then you can tune the App server buffers to a much greater extent. If the FI users (generally) never hit against the HR tables then the App servers in the FI group don't (generally) have to buffer any HR data. That leaves you free to make memory and buffer adjustments to a more drastic extent, because you don't have to worry (as much) about screwing the HR users (as an example), when you're adjusting the FI server group.

So, (in opinion only) you should start with a buffer hit ratio analysis / DB table & index access analysis (by user group) to see where you would get the best benefit from this kind of setup. If you don't have this kind of info, then creating logon groups by line-of-business may have no benefit (or worst case, may make performance degrade for the group with the highest load %). You need some historical information to base your decision on, for how to best split the users up.

You may find that 50% of the load is from the SD users and so you may need one group for them (with 3 App servers in it) and one other group for everyone else (with the other 3).

The logon group(s) will have to be referenced by SAP GUI, so SAP GUI (or saplogon.ini + maybe the services file, only) will have to change to accomodate any new groups you create in SMLG. Also consider that there's variables for time-of-day (load varies by time-of-day) and op-mode switches (resources vary by op-mode).

All Work process are running? What will be our action?

Are all the work processes (dia,btc,enq,upd,up2,spo) running or just all the dialog work processes?

If all the work processes are running, then you may want to look at SM12 (or is SM13?) and see if updates are disabled. If they are, look at the alert log (if it's an Oracle database) and see if you have any space related errors (e.g. ORA-01653 or ORA-01654). If you do, add a datafile or raw device file to the applicable tablespace and then, re-enable updates in SM12.

If only all the dialog work processes are running, there are several possible causes. First, look to see if there's a number in the Semaphore column in SM50 or dpmon. If there is, click once on one of the numbers in the Semaphore column to select it and then, press F1 (help) to get a list of Semaphores. Then, search OSS notes and, hopefully, you'll find a note that will tell you how to fix the problem.

If it's not a semaphore (or sometimes if it is), use vmstat on UNIX or task manager on Windows to see if the operating system is running short on memory which would cause it to swap. In vmstat, the free column (which is in 4k pages on most UNIX derivatives) will be consistently 5MB or so and the pi and/or po columns will have a non- zero value. The %idle column in the cpu or proc section will be 0 or a very low single digit while the sys column will be a very high double-digit number because the operating system is having to swap programs out to disk and in from disk before it can execute them.

In task manager, look at free memory in the physical memory section under the performance tab. If it's 10MB or 15MB (I think), then the operating system will be swapping.

Usually, when all the dialog work processes are running, you won't be able to log in via SAPgui and will need to execute the dpmon utility at the commandline level. The procedure is basically the same on UNIX and Windows.

On UNIX:

telnet to server and login as sidadm user.
cd to /sapmnt/SID/profile directory
execute "dpmon pf=SID_hostname_SYSNR" (e.g. PRD_hercules_DVEGMS00) select option "m" and then, option "l"

On Windows:

Click on START, then RUN
Type "cmd" and press enter
change to drive where profile directory resides (e.g. f:)
cd to \sapmnt\SID\profile
execute "dpmon pf=SID_hostname_SYSNR" (e.g. PRD_zeus_DVEGMS00) select option "m" and then, option "l"

On both operating systems, you'll see a screen that looks like what you see in SM50. Depending on what you see here, will depend on what you do next, but checking the developer trace files (e.g. dev_disp) in the work directory (e.g. /usr/sap/SID/DVEGMS00/work) is never a bad idea.

Tips by : Bob Pate

Thursday, April 10, 2008

Note 19466

Note 19466

Summary

Symptom

Downloading a kernel patch in the Service Marketplace, Software Distribution Center, sapserv.

Other terms

Download, Software Center, sapservX, kernel, binary patch
SAPEXE, SAPEXEDB, disp+work, tp, R3trans, lib_dbsl
Support Package Stacks


Solution Download from SAP Service Marketplace


Patches for the SAP kernel are available on the SAP Service Marketplace Software Distribution Center on the Internet under the following address:

http://service.sap.com/patches

You can find detailed information about navigation, on the home page. The easiest way is to navigate via your product ("Entry by application group") to the required kernel version. Alternatively, you can use the search function ("Search for Support Packages and Patches") and enter the search string "SAP Kernel".

  • Navigate to the required kernel version, for example,
    "SAP Kernel 6.40 64-bit"
  • Choose your operating system, for example, AIX_64. You can find all
    database independent SAP kernel programs under "Database independent".
  • You can find database specific kernel patches under the database
    version, for example SAP DB.

Remember that to update your kernel completely, you have to download patches from both directories.

In the directories on the Service Marketplace, the following information is displayed for a patch:

    • File name (can differ from the patch names described below)
    • Short text
    • Patch level
    • "Info" link. This contains the information file described below, with references to the corrections contained in the patch and notes.


To download a patch, click on the patch name. Alternatively, you can use the right mouse button (-> Save As). Further information is available in the Software Center help.

Caution: altered recommendation concerning the import of kernel patches!

Kernel stack / Support Package stacks (as of Kernel 4.6D)

For regular maintenance, we recommend that you import Support Package stacks (you can find further information under http://service.sap.com/sp-stacks). A Support Package stack consists of advanced kernel patches ("kernel stacks"), which are offered as a complete package. A kernel stack is made up of the Database independent archive "SAPEXE", as well as the Database dependent archive "SAPEXEDB". On the service marketplace, they are labeled as "Kernel part I" / "Kernel part II" with the specification of the stack version (for example "Stack Q3.2004"). Only import other patches if you have an actual problem.

The existing recommendation continues to apply for the Kernel releases 3.1 (_EXT) to 4.5B (_EXT), for which no kernel stacks are available: regularly import the Packages DW.SAR, R3TRANS.SAR, TP.SAR as well as LIB_DBSL.SAR. Only import all other patches if you have an actual problem.

Changing extended maintenance (3.1I_EXT, 4.0B_EXT, 4.5B_EXT, 4.6D_EXT). Refer to Note 663811 or http://service.sap.com > SAP NetWeaver > Ext.Maintenance of SAPkernels 3.1I_COM, 4.0B_COM, 4.5B, 4.6D.
Kernel Release 6.20 / Dependences with SAP J2EE Engine 6.20

When using the SAP J2EE Engine 6.20 in combination with a 6.20 ABAP backend with SAP Kernel 6.20, note the following:
When importing a dw patch, the fast RFC interface (via which part of the communication between the SAP J2EE Engine and the SAP Kernel is effected) must be updated consistently. For this reason, the dw patch contains the Archive FRFCLIB32.SAR (for 32-bit JAVA VM) or FRFCLIB64.SAR (for 64-bit JAVA VM). To update the fast RFC interface consistently, this archive has to be unpacked into the "os_libs" directory of each J2EE instance.

UNICODE kernel as of Release 6.20

As of Release 6.20, a so-called Unicode kernel (Directory "SAP KERNEL 6.20 32/64-bit UNICODE" is offered for download. This kernel is exclusively suited for Unicode systems. It must not be used for normal "non-Unicode" systems under any circumstances.

Kernel 6.40 downward-compatible for 6.20 / 6.10

The kernel for Release 6.40 is downward-compatible with 6.x so that the kernel of the current release can be used to eliminate kernel errors without the SAP System itself having to be upgraded to the new release. Use the current 6.40 patch kernel for troubleshooting because patches for lower 6.20 kernels will only remain available for a short time.
However, it is important that each patch always matches a particular kernel release. For example, you cannot use individual 6.40 executables together with older kernel versions. Therefore, if you want to import a 6.40 patch and are still working with an older kernel, you have to exchange the kernel beforehand.
Refer to Note 664679,
"Installing a 6.40 kernel into a system with 6.10/6.20 Web AS".

Kernel 4.6D / 4.6D_EXT is downward-compatible with 4.6A/B/C

To use the downward-compatible 4.6D Kernel in 46A/B/C systems, the same steps apply as those described above.
Refer to Note 318846, "Installing 4.6D kernel in 4.6A/B/C SAP Systems", for this.

Kernel 4.5B / 4,5B_EXT is downward-compatible for 4.5A


To use the downward-compatible 4.5B kernel with 4.5A systems, the same steps apply as those described above.
Refer to Note 149682, "Installation of 4.5B kernel with 4.5A DB"

Kernel 4.0B_COM / 4.0B_EXT is downward-compatible for 4.0B, 4.0A.


To use the downward-compatible 4.0B_COM kernel with 4.0A systems, the same steps apply as those described above.
Refer to Note 102461, "Installation of 4.0B kernel with 4.0A DB"

Kernel 3.1I_COM / 3.1I_EXT is downward-compatible as of 3.0C

To use the downward-compatible 3.1I kernel with 3.x systems, the same steps apply as those described above.
Refer to Note 102445, "Installation of 3.1I kernel with 3.0C/D/E/F ,3.1G/H-DB".

Patch formats


The patches of the individual programs are ".SAR" SAR or CAR archives. In the Software Center, the patch level and further information are displayed for every patch (link "Info" in analogy with the former "Info file" on sapserv). Always use the patch with the highest version number.

Change of the naming convention (01/2003)
New (01/2003): _-.
Example: DW_559-10001684.SAR
Old : .
Example: DW.SAR

Kernel Archive SAPEXE.SAR / SAPEXEDB.SAR (ab 4.6D)

These archives contain the complete SAP kernel:

  • SAPEXE.SAR: all database independent executables and libraries
  • SAPEXEDB.SAR: database specific executables

Both archives are always needed to update a kernel.
For regular system maintenance, the newest SAPEXE / SAPEXEDB packages (kernel stacks) should generally be used.

dw.SAR kernel patches


In addition to the "disp+work" kernel runtime, a number of programs are contained in the dw.SAR CAR archives which, because of existing dependencies, must always be used in consistent versions. Link "Info" in the Software Center has the same contents as is shown when calling "disp+work -V". The link contains information about the SAP and database version and the kernel patch level.

Note: As of Release 4.6A, the "RSYN" has been integrated into the "disp+work"kernel and is no longer stored in a separate "rsyn.bin" file. Therefore, the "rsyn.bin" file is no longer contained in the patch either.

.SAR archive files


A new SAPCAR archive tool was imported with Basis Release 4.6C, which describes archives in a changed format. To differentiate between the archive formats, SAP uses the .SAR filename extension for the new archives.
The SAR archives are unpacked using "SAPCAR -xvf .SAR".

Note: You can only unpack the SAR archive using the SAPCAR tool, whereas you can unpack the CAR archives with the CAR and SAPCAR tools. Also refer to Note 212876, "The new SAPCAR archiving tool".

.CAR archive files

The CAR archives are unpacked using "CAR -xvf .CAR". You can find the CAR tool for UNIX at /usr/sap//sys/exe/run/CAR, for NT at %homedrive%%homedir%\INSTALL\car.exe, or on the kernel CD in the platform-specific directory.

Copying and installing a patch
    1. Copy the patch into a temporary directory on your system.
    2. Unpack the patch as described above.
    3. Stop the SAP System. (With NT you may also have to stop the SAP services using the Control Panel).
    4. Save the kernel directory by backup or by copying into a separate backup directory.
    UNIX: /usr/sap//sys/exe/run
    NT: :\usr\sap\\sys\exe\run
    If you use a 4.6D-based SAP system (64-bit, non-Unicode) or a SAP system 6.20 or higher (32-bit or 64-bit, Unicode or non-Unicode), there are also the following kernel directories:
    NT: :\usr\sapsys\exe\nuc\ (Non-Unicode)
    NT: :\usr\sapsys\exe\uc\ (Unicode)
    5. This way, you will always have the option to return to the old kernel
    version if problems occur with the new patch.
    6. Copy or move the unpacked programs into the SAP kernel directory.


Header Data



Release Status:Released for Customer
Released on:14.10.2004 06:33:07
Priority:Recommendations/additional info
Category:Consulting
Primary Component:XX-SER-SAPSMP-SWC SAP Service Marktplatz - Software Distribution Center

Affected Releases

Release-Independent

SAProuter - How to setup the saprouter ? What is the saprouter ?

SAProuter - How to setup the saprouter ? What is the saprouter ?


[ Home ]
SAProuter - How to setup the saprouter ? What is the saprouter ?
The program SAProuter is the router (software) for the connection from customers to SAP and vice versa.
SAP Kernel Programs
SAProuter in a SAP System
What ports to open for a SAProuter ?
How to setup the SAProuter for an SNC Internet-Connection ?
How to setup the SAProuter for an VPN-Internet-Connection ?
How to setup the SAProuter for NON-Internet-Connection ?
How to download the latest version ?
SAProuter online help with all supported command line options and further examples
SAProuter in a SAP System

This tool SAProuter is designed, to connect different IP Networks even when the IP adresses are in conflict as it does a network adress translation itself. So, this is always used in order to connect SAP with the customer's systems. This is the case for the way from SAP to the customers and mostly the case as well for logging on into the SAP systems from customer's site as well. If the customer uses the SAPNet R/3 Frontend, he has to use the SAProuter on his site.
Further information is available in the very good note 30289.
What ports to open for a SAProuter ?

From external to the SAProuter (mostly from Internet to DMZ)
The SAProuter is running (listening) on port 3299 by default. When you change this with the option "-S" you have to open a different service. But, by default it is just the port 3299 inbound that needs to be available from external partners. The SAProuter now changes the ports to the "original" ones on the computer where the SAProuter is running. So, it looks like for the target system, as if the request would always come from the computer where the SAProuter is running. From the SAProuter to the internal systems (mostly from DMZ to intranet)
The SAProuter rerouts all requests from the port 3299 where it is receiving the data to the original ports. Therefore, it is necessary, that you open all ports from the SAProuter to your intranet, that are used in your environment.This is normally at least the SAP system. The SAP systems dispatcher is running on port 32nn where nn is the system number. So, you might have to open port 3200 - keep in mind, that 3299 to the intranet normally is NOT necessary.Overview of a few typical applications and their port needs (especially for the access from SAP to your system):
32nn: R3 Support Connection
23: Telnet
1503: Netmeeting
5601: PC-Anywhere
3389: Windows Terminal Server (WTS)

How to setup the SAProuter for an VPN-Internet-Connection ?

Even when VPN often sounds horrible complicated this is pretty easy in this scenario ...
You just grap the "Remote Connection Data Sheet" from note 28976 and return it filled in to SAP either via Fax or via SAPNet R/3 Frontend (OSS) with componente XX-SER-NET-OSS-NEW (The short text for that message must be "Remote Connection Data Sheet").In this "Remote Connection Data Sheet" you mainly have to let SAP know the official IP adress of your VPN Server and the second official IP adress of your SAProuter. You then forward this second IP to the server of your choice where you want to run the SAProuter.SAP will setup the VPN access for you and will return the necessary preshared key with the official SAP IP adresses in a few days to you. You then setup your end of the VPN and everything is fine.Installation of the SAProuter itself for VPN works identically to the way via a private line for non internet connections as described below.
How to setup the SAProuter for NON-Internet-Connection ?

The following description is designed for Windows, but for other platforms, there is documentation available as well in the SAP Help Portal.
First you have to setup a physically direct connection to SAP. This can be an ISDN-, Frame-Relay or similar connection. If a direct connection from your site is not feasable, you can have a look to some service providers, if they can offer you a "OSS-Connection" to SAP for a useful fee.Then you receive a special official IP-Adress from SAP (mostly 2 IPs). One of the IP adresses has to become attached to the server you want to run SAProuter on. This means, that this server can receive several IP adresses (at least your normal local one and the official one from SAP).
Create the subdirectory saprouter in the directory :\usr\sap.
Copy the SAProuter.exe either from :\usr\sap\\SYS\exe\run or get the latest one as described below from the SAP Service Marketplace.
Install the SAProuter as service as follows:ntscmgr install SAProuter -b :\usr\sap\saprouter\saprouter.exe -p "service -r "(The "parameter" has to become replaced with the additional parameters you are using. This is mostly not necessary at all)
Define the general attributes of the service:In Control Panel->Services, set the startup type to “automatic” and enter a user. SAProuter should not run under the SystemAccount.
To avoid the error message “The description for Event ID (0)” in the Windows NT event log, you must enter the following in the registry: Under HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Eventlog->Application, create the key saprouter and define the following values under it:EventMessageFile (REG_SZ): :\usr\sap\saprouter\saprouter.exeTypesSupported (REG_DWORD): 0x7
Every SAProuter needs a file called "saprouttab". This is normally expected in the same directory as saprouter.exe is located. You should have a look at the end of this web-site or to the SAP Help Portal how to setup this for productive use.Right for the moment for tests, the following line in the file :\usr\sap\saprouter\saprouttab is sufficient:P * * *(Please change this as soon as your tests are done, as this file opens all ports and all of your systems!)
Now, have fun with your SAProuter after starting it via the Windows Service Manager!

How to download the latest version ?

You can download the latest version of all the SAP Executables in the SAP Service Marketplace. As the binaries are different for each platform, you should have a look at the following link:Download Executable Patches on the SAP Service Marketplace
SAProuter online help with all supported command line options and further examples

SAP Network Interface Router
start router : saprouter -r
stop router : saprouter -s
soft shutdown: saprouter -p
router info : saprouter -l (-L)
new routtab : saprouter -n
toggle trace : saprouter -t
cancel route : saprouter -c id
dump buffers : saprouter -d
flush " : saprouter -f
start router with third-party library: saprouter -a library
additional options
-R routtab : name of route-permission-file (default ./saprouttab)
-G logfile : name of log file (default no logging)
-T tracefile : name of trace file (default dev_rout)
-V tracelev : trace level to run with (default 1)
-H hostname : of running saprouter (default localhost)
-S service : service-name / number (default 3299)
-P infopass : password for info requests
-C clients : maximum no of clients (default 801)
-Y servers : maximum no of servers to start (default 1)
-K [myname] : activate SNC; if given, use 'myname' as own sec-id
-A initstring: initialization options for third-party library
-D : switch DNS reverse lookup off
expert options
-B quelength : max. no. of queued packets per client (default 1)
-Q queuesize : max. total size for all queues (default 20000000 bytes)
-W waittime : timeout for blocking net-calls (default 5000 millisec)
-M min.max : portrange for outgoing connects, like -M 1.1023
-U abs_path : absolute path for Unix Domain Sockets,
default is "/tmp/.sapstream%d"
# this is a sample routtab : -----------------------------------------
D host1 host2 serviceX
D host3
P * * serviceX
P 155.56.*.* 155.56
P 155.57.1011xxxx.*
P host4 host5 * xxx
P host6 localhost 3299
P host7 host8 telnet
S host9
P0,* host10
KP sncname1 * *
KS * host11 *
KD "sncname "abc" * *
KT sncname3 host11 *
# deny routes from host1 to host2 serviceX
# deny all routes from host3
# permit routes from anywhere to any host using serviceX
# permit all routes from/to addresses matching 155.56
# permit ... with 3rd byte matching 1011xxxx
# permit routes from host4 to host5 if password xxx supplied
# permit information requests from host6
# permit native-protocol-routes to non-SAP-server telnet
# permit ... excluding native-protocol-routes (SAP-servers only)
# permit ... if number of preceding/succeeding hops (saprouters) <= 0/*
# permit SNC-connection with partnerid = 'sncname1' to any host
# permit all SAP-SAP SNC-connections to host11
# deny all SNC-connections with partnerid = 'sncname "abc'
# open connects to host11 with SNC enabled and partnerid = 'sncname3'
# first match [host/sncname host service] is used
# permission is denied if no entry matches
# service wildcard (*) does not apply to native-protocol-routes
# --------------------------------------------------------------------
If you have some more ideas to this topic, please let us know via the Feedback Area.
[ go to top ]
back
04/10/2008, 18:47:49
Contact Us Advertise Add URL Contribute Post a resume Post a job About Privacy Terms Feedback Help!
Sign Guestbook Read Guestbook Message Board Discussion Forum Polls Consultants:Advertise your skills Companies:Advertise on SAPGenie Email this page
Ó2001 SAPGenie.COM. All rights reserved.
All product names are trademarks of their respective companies. SAPGenie.COM is in no way affiliated with SAP AG. Every effort is made to ensure content integrity. Use information on this site at your own risk.

FAQ - Single Sign On

FAQ - Single Sign On

This Document Provides Answers to Frequently Asked Questions About:


What is the difference between authentication and Single Sign-On?

In computer security, authentication is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party.

Single Sign-On is the subsequent automated authentication for additional systems after the user has logged on once. In this case, the authenticating system passes the user information to the subsequently called system. This is done in the background; that is, the user does not need to authenticate himself or herself again after his or her first logon.

Back to top

What options are there for authentication for the SAP Web Application Server?

Web Based Authentication Methods:

  • Anonymous/ guest access

  • User ID/ password (only authentication, not Single Sign-On)

    • Form based

    • Basic authentication

  • X.509 digital certificates

  • SAP Logon Tickets

  • External authentication methods

    • HTTP header variable authentication (not ABAP except for X.509 certificate information forwarding)

    • Security Assertion Markup Language (SAML – only Java)

    • Through Java Authentication and Authorization Services (JAAS – only Java). External authentication can be performed using a JAAS module with SAP Web Application Server 6.30. The module is not supplied by SAP, but can be implemented by customers and connected using a standardized interface. JAAS allows you to set a separate authentication mechanism for each application.

SAP GUI for Windows

  • SAP-certified SNC product, external security product (authentication takes place outside of SAP system)

  • SAP provided wrappers for Microsoft Windows authentication mechanisms:

    • Windows NTLM

    • Windows 2000 Kerberos

  • SAP Shortcut Method (SAP Logon Ticket)

SNC is an integration layer with which a partner product for user authentication can be included in the SAP system landscape. SNC can only be used with SAP protocols (DIAG, RFC, SAP ITS AGate/WGate), and not with the Internet protocol HTTP. This means that it cannot be used with SAP GUI for HTML; only SAP GUI for Java und SAP GUI for Windows can be secured using SNC. Pluggable Authentication Service (PAS) can be used for Web-based access - see below. In addition to the integration of a third-party product, you can also use existing authentication infrastructures, for example for Microsoft Windows NT or Microsoft Windows 2000 through SNC. For an overview of the partner products certified by SAP for this interface (which is based on the Generic Security Services [GSS] standard), see Security Partners.

The user logs on to the partner product; the SNC user name is then mapped to the SAP user name. The SAP system accepts the logon information, and additional authentication is not required. Security mechanisms of different strengths can be used, such as, such as Public-Key cryptography or Kerberos, depending on the product you are using.

SAP provides mapping libraries free of charge for Microsoft Windows NT and Microsoft Windows 2000. These do not contain any cryptographic functions themselves, but rather access the relevant Microsoft Security Provider APIs. These can be used instead of a partner product.

For more information, see http://service.sap.com/security > Security in Detail > Secure System Management

SAP WebGUI

  • X.509 client certificate

  • SAP Logon Ticket

Back to top

What options are there for single sign-on for SAP GUI?

The procedure used for Single Sign-On depends on the SAP GUI in use.

SAP GUI for HTML (Available with SAP Web AS and SAP ITS)

  • SSO can be implemented using SAP Logon Tickets. This is a proprietary SAP solution, contain in the standard version of the software. For more information about SAP Logon Tickets, see How do SAP logon tickets work?.

  • SSO can also be implemented using digital certificates - see authentication. There are advantages and disadvantages to this approach, as described under Which is the most secure option?.

  • For the ITS, you can also implement external authentication using the Pluggable Authentication Service (PAS). For more information, see Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system. For more detailed information, see the relevant documentation.

SAP GUI for Java

  • SNC can be used in this case; see also Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system.

SAP GUI for Windows

  • You can implement SSO using SNC through a partner product; see also Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system.

  • A cost-effective alternative to a partner product is to use Microsoft Windows NTLM or Microsoft Kerberos, which is contained in Microsoft operating systems at no additional cost. This variant can only be implemented in a purely Microsoft environment; if other components are used, you must purchase an additional partner product (for more information, see SAP Note 352295). For information about certified partners that provide suitable products for SNC, see Security Partners.

  • You can implement SSO using SAP Shortcuts. These are available as of SAP R/3 4.0B under Microsoft Windows NT and Microsoft Windows 95 installations. SAP Shortcuts are useful for frequently used transactions or reports; a shortcut of this type means that they can be started directly from the desktop. System data, the name of the transaction or report, and the user’s logon data are stored in the shortcut. The password can also be stored here; this means that it is not necessary to enter it again during the logon. However, we recommend that you exercise caution in this situation: SAP Shortcuts store the logon data directly on the front end. As any user that can access the front end desktop can also activate the shortcut, if there is a lack of security at the front end, there is a danger that the logon data will be misused. The SAP Shortcut could also be copied to another front end computer, if access to the file system is not appropriately secured. Passwords should therefore only be stored in SAP Shortcuts if there is adequate security at the front end. You should also note that this is not a genuine Single Sign-On scenario, as each SAP Shortcut is a separate logon to the relevant SAP system. However, an actual Single Sign-On solution for SAP Shortcuts can be implemented in connection with SNC. As of SAP R/3 4.5, the SNC procedure for SSO also applies for SAP Shortcuts. For more information about SAP Shortcuts, see the SAP R/3 online documentation (as of SAP R/3 4.5) under General Information > Getting Started with R/3 > Daily Start-Up/Shutdown of the R/3 System > SAP Shortcut and SAP Note 99054.

Back to top

Must a user have the same password in all systems that are part of an SSO landscape?

No. The passwords can be different in the different systems; this does not affect the setting up of Single Sign-On in any way.

Back to top

After a year, Single Sign-On suddenly no longer works. What could the reason for this be?

This error can occur due to an expired server certificate on the system that issues the SAP Logon Tickets. Certificates for servers, which are signed by a Certification Authority (CA) such as the SAP Trust Center Service (SAP_CA), are usually valid for a year. Although the SAP Logon Tickets for SSO are still issued after this period, an error message is triggered by the receiving system when it checks the certificates. "Self-signed" certificates, which are not issued by a CA, but by the server itself, usually have a significantly longer validity period. To avoid the certificates expiring in future, a new report has been created that provides warning in good time before the expiration of the validity of installed certificates. For more information about this, see SAP Notes 572035 (Warning about expired security certificates) and SAP Notes 499386 ("Invalid logon ticket" for CA certificates) - SMP login required..

Back to top

How do SAP logon tickets work? Can they also be used to include non-SAP products in an SSO environment?

SAP Logon Tickets generate SSO for SAP solutions with Web-based access, that is, for applications that are based on SAP Web Application Server or SAP ITS. An SAP Logon Ticket is used only for the purposes of SSO and cannot be used for initial authentication. To obtain a Logon Ticket, the user must first logon using a different procedure, such as a user name and a password or a digital certificate. The Logon Ticket is contained in a cookie that is forwarded to the user’s Web browser by the issuing system. It is forwarded from the user’s browser to the subsequently called systems that are integrated into the SSO landscape. The user logs on only once. The ticket itself contains the user name, a timestamp, information about the issuing system, and a certain validity period, which can be configured using a system profile parameter , and which can range from a few minutes to several hours. To protect the authenticity and the integrity of the ticket, it is digitally signed by the issuing system. The prerequisite for the use of SAP Logon Tickets is the use of identical user names in the systems that issue and accept the ticket. The SAP Enterprise Portal is an exception to this rule; in this case, an external user name can be specified in the ticket itself.

The advantage of SAP Logon Tickets over an SSO solution using digital certificates is that the (person-related) Public-Key Infrastructure, which is required to administer digital certificates and can be cost-intensive, is not required. Logon Tickets that have already been checked can be buffered for the duration of their validity, which improves performance. To avoid it being stolen through interception, the ticket should be protected using SSL. Many external systems can also be configured to accept and verify SAP Logon Tickets. You can do this using a library provided by SAP, which is then integrated into the external software. The following SAP systems can issues SAP Logon Tickets: systems as of SAP Basis 4.6C (see SAP Note 358469), SAP Web Application Server 6.10 and above, SAP Enterprise Portal 5.0 and above. SAP systems as of SAP Basis 4.0 can accept SAP Logon Tickets (see SAP Note 177895).

Back to top

Are authentication and SSO connected with Central User Administration (CUA)?

No. Central User Administration simply centralizes the administration of user and role data across a large number of SAP systems. The data contained there only applies after the user has already logged on; authentication and, if appropriate, Single Sign-On have therefore already taken place. Setting up a CUA therefore does not affect authentication and SSO procedures in any way; however, it does provide the basis for the use of SAP Logon Tickets due to the assignment of uniform cross-system user names. Implementing CUA also does not provide any form of password synchronization between the central and child systems. Initial passwords are an exception to this rule, and it is also possible to reset passwords. This can be done both in the local child systems and in the central system (with distribution to selected systems).

Back to top

Are authentication and SSO connected with LDAP user data synchronization (LDAP Connector, LDAPMAP)?

No. Since SAP Basis 4.6, SAP systems have had an LDAP Connector, which allows connection to an LDAP directory. However, only individual accesses to the LDAP directory are possible in this version. Data synchronization between SAP R/3 and the LDAP directory was standardized with SAP Web AS 6.10, and mass synchronization is possible. The data synchronization applies only to user and role data, however. Authentication and SSO functions are provided neither using the LDAP Connector nor through transaction LDAPMAP. For information about transferring an external authentication to the LDAP directory, see Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system?.

Back to top

How do authentication and SSO work in the SAP NW Portal?

The SAP Netweaver Portal offers the same possibilities for user authentication as SAP Netweaver AS Java. In Addition Account Aggregation ist supported. With this procedure, a portal user (or a user group) is associated with the user name and password for an application. This allows SSO even for applications that cannot accept SAP Logon Tickets. The administrator, or the user can perform the required mapping using a graphical interface. The portal stores the data in the portal database. For security reasons, all password information is encrypted using a triple DES algorithm.

For more information about authentication and SSO in the SAP Enterprise Portal, see Solution in Detail: Security in the mySAP Enterprise Portal.

Back to top

Does SAP offer a Trust Center?

Yes. For more information, see the SAP Service Marketplace using the alias TCS. SAP offers client certificates, server certificates, for example, for Secure Socket Layer, and router certificates for service connections through SAPRouter.

Back to top

Where is the SAP Passport physically stored?

Passports are stored wherever the browser stores its certificates. In the case of Microsoft Internet Explorer, this is the registry. You can usually also replace the browser storage using a third party product, for example a smart card or a central Personal Security Environment (PSE) server.

Back to top

SAP Passports - where can I learn more about it?

On SAP Service Marketplace at htttp://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000282722& you find a detailed description of the process in the presentation "SAP Passports - How to get started". To test SAP passport functionality in your SAP Workplace, please generate a Certificate Request (CR) and send message on component BC-SEC to SAP via SAP Net R/3 Frontend (OSS) or SAP Service Marketplace. We will send you the necessary certificate for your Registration Authority (RA).

Back to top

Does SAP also support newer standards, such as SAML or the Liberty Alliance Project?

Security Assertion Markup Language (SAML)

With SAP Web Application Server 6.30, the SAP J2EE Engine can accept SAML tickets for logon in the browser artifact scenario. For more information about SAML, see http://www.oasis-open.org. For information about SAML in the SAP context, and about other security standards, see http://service.sap.com/security > Security in Detail > Security Standards.

Liberty Alliance Project

SAP is a sponsor of Liberty Alliance Project, an initiative to establish a standard for federated digital identities on the Web. Its aim is to use specifications to develop open standards that can be used internationally across industries. For more information about the Liberty Alliance, see http://www.projectliberty.org/ .

Back to top

Where can I find more information about documentation about this topic?

For documentation, manuals, and other information material, see the SAP Service Marketplace at:

  • http://service.sap.com/security > Security in Detail > Secure System Management

  • http://service.sap.com/security > Security in Detail > Trust Relationship Management

For SAP Notes about this topic, see http://service.sap.com/security > SAP Security Notes. SAP Notes about SNC and the following SAP Notes are of particular interest:

Back to top

Wednesday, April 9, 2008

Single Signon | SAP Security, SAP Security, Authorizations

Single Signon | SAP Security, SAP Security, Authorizations

Single Signon

By: saketpratap | 28 May 2007 5:52 am
What is the difference between authentication and Single Sign-On?

In computer security, authentication is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party.

Single Sign-On is the subsequent automated authentication for additional systems after the user has logged on once. In this case, the authenticating system passes the user information to the subsequently called system. This is done in the background; that is, the user does not need to authenticate himself or herself again after his or her first logon.

What options are there for authentication for the SAP Web Application Server?

Web Based Authentication Methods:

Anonymous/ guest access

User ID/ password (only authentication, not Single Sign-On)

Form based

Basic authentication

X.509 digital certificates

SAP Logon Tickets

External authentication methods

HTTP header variable authentication (not ABAP except for X.509 certificate information forwarding)

Security Assertion Markup Language (SAML – only Java)

Through Java Authentication and Authorization Services (JAAS – only Java). External authentication can be performed using a JAAS module with SAP Web Application Server 6.30. The module is not supplied by SAP, but can be implemented by customers and connected using a standardized interface. JAAS allows you to set a separate authentication mechanism for each application.

SAP GUI for Windows

SAP-certified SNC product, external security product (authentication takes place outside of SAP system)

SAP provided wrappers for Microsoft Windows authentication mechanisms:

Windows NTLM

Windows 2000 Kerberos

SAP Shortcut Method (SAP Logon Ticket)

SNC is an integration layer with which a partner product for user authentication can be included in the SAP system landscape. SNC can only be used with SAP protocols (DIAG, RFC, SAP ITS AGate/WGate), and not with the Internet protocol HTTP. This means that it cannot be used with SAP GUI for HTML; only SAP GUI for Java und SAP GUI for Windows can be secured using SNC. Pluggable Authentication Service (PAS) can be used for Web-based access - see below. In addition to the integration of a third-party product, you can also use existing authentication infrastructures, for example for Microsoft Windows NT or Microsoft Windows 2000 through SNC. For an overview of the partner products certified by SAP for this interface (which is based on the Generic Security Services [GSS] standard), see Security Partners.

The user logs on to the partner product; the SNC user name is then mapped to the SAP user name. The SAP system accepts the logon information, and additional authentication is not required. Security mechanisms of different strengths can be used, such as, such as Public-Key cryptography or Kerberos, depending on the product you are using.

SAP provides mapping libraries free of charge for Microsoft Windows NT and Microsoft Windows 2000. These do not contain any cryptographic functions themselves, but rather access the relevant Microsoft Security Provider APIs. These can be used instead of a partner product.

For more information, see http://service.sap.com/security > Security in Detail > Secure System Management

SAP WebGUI

X.509 client certificate

SAP Logon Ticket

What options are there for single sign-on for SAP GUI?

The procedure used for Single Sign-On depends on the SAP GUI in use.

SAP GUI for HTML (Available with SAP Web AS and SAP ITS)

SSO can be implemented using SAP Logon Tickets. This is a proprietary SAP solution, contain in the standard version of the software. For more information about SAP Logon Tickets, see How do SAP logon tickets work?.

SSO can also be implemented using digital certificates - see authentication. There are advantages and disadvantages to this approach, as described under Which is the most secure option?.

For the ITS, you can also implement external authentication using the Pluggable Authentication Service (PAS). For more information, see Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system. For more detailed information, see the relevant documentation.

SAP GUI for Java

SNC can be used in this case; see also Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system.

SAP GUI for Windows

You can implement SSO using SNC through a partner product; see also Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system.

A cost-effective alternative to a partner product is to use Microsoft Windows NTLM or Microsoft Kerberos, which is contained in Microsoft operating systems at no additional cost. This variant can only be implemented in a purely Microsoft environment; if other components are used, you must purchase an additional partner product (for more information, see SAP Note 352295). For information about certified partners that provide suitable products for SNC, see Security Partners.

You can implement SSO using SAP Shortcuts. These are available as of SAP R/3 4.0B under Microsoft Windows NT and Microsoft Windows 95 installations. SAP Shortcuts are useful for frequently used transactions or reports; a shortcut of this type means that they can be started directly from the desktop. System data, the name of the transaction or report, and the user’s logon data are stored in the shortcut. The password can also be stored here; this means that it is not necessary to enter it again during the logon. However, we recommend that you exercise caution in this situation: SAP Shortcuts store the logon data directly on the front end. As any user that can access the front end desktop can also activate the shortcut, if there is a lack of security at the front end, there is a danger that the logon data will be misused. The SAP Shortcut could also be copied to another front end computer, if access to the file system is not appropriately secured. Passwords should therefore only be stored in SAP Shortcuts if there is adequate security at the front end. You should also note that this is not a genuine Single Sign-On scenario, as each SAP Shortcut is a separate logon to the relevant SAP system. However, an actual Single Sign-On solution for SAP Shortcuts can be implemented in connection with SNC. As of SAP R/3 4.5, the SNC procedure for SSO also applies for SAP Shortcuts. For more information about SAP Shortcuts, see the SAP R/3 online documentation (as of SAP R/3 4.5) under General Information > Getting Started with R/3 > Daily Start-Up/Shutdown of the R/3 System > SAP Shortcut and SAP Note 99054.

Must a user have the same password in all systems that are part of an SSO landscape?

No. The passwords can be different in the different systems; this does not affect the setting up of Single Sign-On in any way.

After a year, Single Sign-On suddenly no longer works. What could the reason for this be?

This error can occur due to an expired server certificate on the system that issues the SAP Logon Tickets. Certificates for servers, which are signed by a Certification Authority (CA) such as the SAP Trust Center Service (SAP_CA), are usually valid for a year. Although the SAP Logon Tickets for SSO are still issued after this period, an error message is triggered by the receiving system when it checks the certificates. "Self-signed" certificates, which are not issued by a CA, but by the server itself, usually have a significantly longer validity period. To avoid the certificates expiring in future, a new report has been created that provides warning in good time before the expiration of the validity of installed certificates. For more information about this, see SAP Notes 572035 (Warning about expired security certificates) and SAP Notes 499386 ("Invalid logon ticket" for CA certificates) - SMP login required..

How do SAP logon tickets work? Can they also be used to include non-SAP products in an SSO environment?

SAP Logon Tickets generate SSO for SAP solutions with Web-based access, that is, for applications that are based on SAP Web Application Server or SAP ITS. An SAP Logon Ticket is used only for the purposes of SSO and cannot be used for initial authentication. To obtain a Logon Ticket, the user must first logon using a different procedure, such as a user name and a password or a digital certificate. The Logon Ticket is contained in a cookie that is forwarded to the user’s Web browser by the issuing system. It is forwarded from the user’s browser to the subsequently called systems that are integrated into the SSO landscape. The user logs on only once. The ticket itself contains the user name, a timestamp, information about the issuing system, and a certain validity period, which can be configured using a system profile parameter , and which can range from a few minutes to several hours. To protect the authenticity and the integrity of the ticket, it is digitally signed by the issuing system. The prerequisite for the use of SAP Logon Tickets is the use of identical user names in the systems that issue and accept the ticket. The SAP Enterprise Portal is an exception to this rule; in this case, an external user name can be specified in the ticket itself.

The advantage of SAP Logon Tickets over an SSO solution using digital certificates is that the (person-related) Public-Key Infrastructure, which is required to administer digital certificates and can be cost-intensive, is not required. Logon Tickets that have already been checked can be buffered for the duration of their validity, which improves performance. To avoid it being stolen through interception, the ticket should be protected using SSL. Many external systems can also be configured to accept and verify SAP Logon Tickets. You can do this using a library provided by SAP, which is then integrated into the external software. The following SAP systems can issues SAP Logon Tickets: systems as of SAP Basis 4.6C (see SAP Note 358469), SAP Web Application Server 6.10 and above, SAP Enterprise Portal 5.0 and above. SAP systems as of SAP Basis 4.0 can accept SAP Logon Tickets (see SAP Note 177895).

Are authentication and SSO connected with Central User Administration (CUA)?

No. Central User Administration simply centralizes the administration of user and role data across a large number of SAP systems. The data contained there only applies after the user has already logged on; authentication and, if appropriate, Single Sign-On have therefore already taken place. Setting up a CUA therefore does not affect authentication and SSO procedures in any way; however, it does provide the basis for the use of SAP Logon Tickets due to the assignment of uniform cross-system user names. Implementing CUA also does not provide any form of password synchronization between the central and child systems. Initial passwords are an exception to this rule, and it is also possible to reset passwords. This can be done both in the local child systems and in the central system (with distribution to selected systems).

Are authentication and SSO connected with LDAP user data synchronization (LDAP Connector, LDAPMAP)?

No. Since SAP Basis 4.6, SAP systems have had an LDAP Connector, which allows connection to an LDAP directory. However, only individual accesses to the LDAP directory are possible in this version. Data synchronization between SAP R/3 and the LDAP directory was standardized with SAP Web AS 6.10, and mass synchronization is possible. The data synchronization applies only to user and role data, however. Authentication and SSO functions are provided neither using the LDAP Connector nor through transaction LDAPMAP. For information about transferring an external authentication to the LDAP directory, see Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system?.

How do authentication and SSO work in the SAP NW Portal?

The SAP Netweaver Portal offers the same possibilities for user authentication as SAP Netweaver AS Java. In Addition Account Aggregation ist supported. With this procedure, a portal user (or a user group) is associated with the user name and password for an application. This allows SSO even for applications that cannot accept SAP Logon Tickets. The administrator, or the user can perform the required mapping using a graphical interface. The portal stores the data in the portal database. For security reasons, all password information is encrypted using a triple DES algorithm.

For more information about authentication and SSO in the SAP Enterprise Portal, see Solution in Detail: Security in the mySAP Enterprise Portal.

Does SAP offer a Trust Center?

Yes. For more information, see the SAP Service Marketplace using the alias TCS. SAP offers client certificates, server certificates, for example, for Secure Socket Layer, and router certificates for service connections through SAPRouter.

Where is the SAP Passport physically stored?

Passports are stored wherever the browser stores its certificates. In the case of Microsoft Internet Explorer, this is the registry. You can usually also replace the browser storage using a third party product, for example a smart card or a central Personal Security Environment (PSE) server.

SAP Passports - where can I learn more about it?

On SAP Service Marketplace at htttp://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000282722& you find a detailed description of the process in the presentation "SAP Passports - How to get started". To test SAP passport functionality in your SAP Workplace, please generate a Certificate Request (CR) and send message on component BC-SEC to SAP via SAP Net R/3 Frontend (OSS) or SAP Service Marketplace. We will send you the necessary certificate for your Registration Authority (RA).

Does SAP also support newer standards, such as SAML or the Liberty Alliance Project?

Security Assertion Markup Language (SAML)

With SAP Web Application Server 6.30, the SAP J2EE Engine can accept SAML tickets for logon in the browser artifact scenario. For more information about SAML, see http://www.oasis-open.org. For information about SAML in the SAP context, and about other security standards, see http://service.sap.com/security > Security in Detail > Security Standards.

Liberty Alliance Project

SAP is a sponsor of Liberty Alliance Project, an initiative to establish a standard for federated digital identities on the Web. Its aim is to use specifications to develop open standards that can be used internationally across industries. For more information about the Liberty Alliance, see http://www.projectliberty.org/ .

Where can I find more information about documentation about this topic?

For documentation, manuals, and other information material, see the SAP Service Marketplace at:

http://service.sap.com/security > Security in Detail > Secure System Management

http://service.sap.com/security > Security in Detail > Trust Relationship Management

For SAP Notes about this topic, see http://service.sap.com/security > SAP Security Notes. SAP Notes about SNC and the following SAP Notes are of particular interest:

138498 Single Sign-On Solutions

177895 Refitting the mySAP.com Single Sign-On Capability

389176 Composite Note: SAP Trust Center Service (TCS)