Oi Pessoal,

A Lei 13.137 de 19/06/2015 alterou a lógica dos impostos retidos do Brasil, que antes eram retidos de acordo com a Lei no 10.833, de 29 de dezembro de 2003.

As informações sobre como proceder com essa mudança foram publicadas na SAP Note 2188371.

att,

Renan Correa

Hi gurus, Actually I have one Server running SAP ECC 606 with IDES and Oracle database for demo, this works fine. Now I want to have one Server with IDES and SAP ECC 606 but with SAP Hana for demo too.

My actual server is 12 GB RAM and 200GB database oracle. Which could be my minimal RAM memory to run SAP ECC 606 with Hana??, just for demom no production enviroment.

Regards,

Jose.

Hello:

We currently have a Delphi application that uses the Tcrpe VCL component to run CR reports at runtime. We want to upgrade this application to the latest version of Delphi (XE8) and also upgrade Crystal Reports to the latest version. From what I read, Crystal Reports doesn't offer anymore VCL components. I did a small proof of concept app where the reports are now displayed via a .Net app, so I am going to take this path for now.

Having said that, can you please provide some links related to the following topics:

- Upgrade CR reports from older version to the latest. I found this: From Crystal Reports 2008 to SAP Crystal Reports 2013 or SAP Crystal Reports for Enterprise - Business Intelligence (Bus…  from another post, however we don't use BI. We have a lot of rpt files written in CR 8-11 that would have to be tested and eventually upgraded.

- Deployment requirements/runtime dependencies for .Net apps that run CR reports. I found this: http://www.sdn.sap.com/notes?id=0001215826&boj=/sap/bc/bsp/spn/scn_bosap/notes.do?access=69765F6D6F64653D3939382669765F7 but this link doesn't work: https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/bobj_download/main.htm, I am prompted with a dialog box (see the screenshot below). We need to build a setup that deploys all the dependent dlls, or does SAP such a setup that can be used to deploy the runtime dlls needed to run CR reports.

- Any other suggestions / recommendations?

Also, what are the licensing requirements to deploy such an app? Is there anything that we have to purchase other than the software for designing the reports?

Thanks

I want to change the direction of a Dynamic Container. It defaults to right to left, is it possible to change it to left to right, up to down etc? I've been digging through the elements but haven't found anything of help. Maybe the transition effect is done through jQuery instead of CSS?

Boa tarde pessoal.

Faz tempo que não atuo nas NF-es da vida e estou com uma dúvida besta, mas é duvida...

Um cliente tem um processo que faz a validação da NF-e para MIRO. Como ele não emite NF-e de saída não fizeram nenhum upgrade para atender o layout 3.10.

Minha dúvida é a seguinte:

- alterando as url's para o 3.10 sem fazer o upgrade é possivel a validação?

Hello:

We have a Delphi application that uses the VCL component for displaying CR reports.

I have a specific question related to the export options that are present in the VCL component but they are not in the .net version.

This is in .Net:

  public enum ExportFormatType

  {

    NoFormat,

    CrystalReport,

    RichText,

    WordForWindows,

    Excel,

    PortableDocFormat,

    HTML32,

    HTML40,

    ExcelRecord,

    Text,

    CharacterSeparatedValues,

    TabSeperatedText,

    EditableRTF,

    Xml,

    RPTR,

    ExcelWorkbook,

  }

And these are the options in the VCL control:

  TCrExportType = (AdobeAcrobatPDF, CrystalReportRPT, EditableWord, HTML32,

    HTML40, MSExcel, MSWord, ODBCTable, Records, ReportDefinition,

    RichText, SeparatedValues, TabSeparatedText, TextFormat, XML1);

Here is the mapping betwen the VCL and .Net:

Could you please review the table and let me know if there is anything incorrect, and what options do I have where the question marks are?

Thanks

Calendar (New in SP06)

This plugin enables the ability to find, create and delete calendar entries in the Android or iOS calendar.  It uses the open source Calendar plugin.

For additional details on the Kapsel Calendar plugin see the JavaScript file in a project that includes this plugin at

project_name\plugins\com.sap.mp.cordova.plugins.calendar\www\calendar.js

or the JS Documentation at Kapsel Calendar API Reference.

The following steps will demonstrate an example of using this plugin.

• Create the project.

  cordova -d create C:\Kapsel_Projects\CalendarDemo com.mycompany.calendar CalendarDemo "{\"plugin_search_path\":\"C:/SAP/MobileSDK3/KapselSDK/plugins/\"}"
  cd C:\Kapsel_Projects\CalendarDemo
  cordova -d platform add android
  
  cordova -d create ~/Documents/Kapsel_Projects/CalendarDemo com.mycompany.calendar CalendarDemo "{\"plugin_search_path\":\"/Users/i826567/SAP/MobileSDK3/KapselSDK/plugins/\"}"
  cd ~/Documents/Kapsel_Projects/CalendarDemo
  cordova -d platform add ios

• Add the device plugin and the Kapsel or open source calendar plugin.

  cordova -d plugin add org.apache.cordova.device
  cordova -d plugin add nl.x-services.plugins.calendar 
  or 
  cordova -d plugin add https://github.com/EddyVerbruggen/Calendar-PhoneGap-Plugin

• Replace www\index.html with the contents of index.html.
  
  
• Copy the files to the platform directory by running

  cordova -d prepare

• Use the Android IDE or Xcode to deploy and run the project.
  
  Press the Create Event button, then the Find Event button.  Open the device calendar.
  
  
  
  Note the Create Recurring, Open Calendar and List Calendar buttons only work with the open source version of the Calendar plugin.
  The open source Calendar plugin also contains additional methods that are platform specific.  For example the Android version contains a method calendar.createEventInteractively that when called creates an entry and then displays it in the calendar and the iOS version has methods named calendar.createCalendar and calendar.createEventInNamedCalendar.
  
  

Back to Getting Started With Kapsel

Hi All,

I have a requirement to display  URL address (like http://help.sap.com )as hyperlink, along with normal text, in dialog screen.

For eg, I want to display

" The SAP version 7.0 is no longer supported and must be upgraded. Please contact your IT support to arrange for the latest version. If you have local administration/. Please install yourself.

The latest version can be obtained herefollow the link [http://help.sap.com] "( this is a sample hyperlink but i am using a bigger text here)

For that I need to know the Function module / Class-Method / HTML code , which I can use.

I am fetching the message text from an internal table.

How can I distinguish the normal text from hyperlink text ?

I am populating custom control using 'CL_GUI_TEXTEDIT'.

I can use a different class, if that will help me in displaying the hyperlink.

Solutions posted to this query would be highly appreciated.

Thanks in advance.

Regards,

Pavi

General

1.      What is an API?

APIs are Application Programming Interface. It is a set of routines, protocols and tools for building software applications. APIs are sets of requirements that govern how one application can talk to another. APIs are especially important because, they dictate how developers can create new apps that tap into big Web services and social network. APIs facilitate interaction by selectively exposing certain functionalities, allowing different applications/websites/devices to communicate effectively with each other.

2.      What is SAP API Management?

API Management is the process of publishing, promoting and overseeing APIs is a secure and scalable manner. SAP API Management has various capabilities to provide unified access and orchestration based on open standards like REST, Odata, OAuth and many more with enterprise grade security and seamless connectivity to existing SAP back-ends. This simplifies the way developers go about integrating with their SAP and non-SAP application, reducing cost, foster innovation and participate in the larger API economy.

3.      What does SAP API Management deliver?

With SAP API Management, you can:

• Increase workforce productivity
• Personalized consumer engagement
• Provide enterprise grade security
• Reduce IT complexity and total cost of ownership
• Create custom apps quickly and easily
• Co innovation with Partners and Customers
• Opens up new business channels and revenue streams

4.      What is the value customers should expect from SAP API Management?

SAP API Management enables provisioning, governance, security and scalability of enterprise information for digital access. It provides for one experience for managing and monitoring APIs across various data platforms (SAP and non-SAP) with real-time analytics and reporting on usage metrics.

5. What are the technical benefits of using SAP API Management?

• APIs are the core of “System of engagement” and are built on enabling efficient delivery and distribution of content and services. The SAP API Management capabilities enable business towards simplifying the way developers go about integrating with their SAP and non-SAP applications reducing cost, fostering innovations and improve participation in the API economy. For details referhttp://www.gartner.com/it-glossary/pace-layered-application-strategy/
• SAP API Management not only provides enterprise grade security that ensures optimized performance, but also helps monitor and manage APIs
• Unlike SOA strategies, that typically assumes that internal users are accessing the services; an API strategy targets engagement with a variety of business and software development partners that are as likely to be external as internal. SAP API Management delivers important additional capabilities: developer portal, key management and approval, metering and billing capabilities.

6. How is SAP API Management placed in SAP portfolio?

SAP has many API providers such as SAP Gateway, SAP HANA Platform, SuccessFactors and many more in the road map. There is a need of a solution to manage the numerous SAP and non-SAP APIs. SAP API Management helps unlock the value of digital assets, enabling in creating and delivering content and business services to consumers, partners and developers

7. Are there any business use cases?

Business to Employee use case in construction industry –

• Challenges
• Solution - Standardized APIs provide an alternate method to access back-end systems. Developed new, intuitive lightweight applications that could be delivered, monitored, managed, and analyzed through an enterprise app store. Streamlined development tools to ease app development.
• Benefits

Business to Consumer use case in retail industry –

• Challenges -
• Solution - Created an entire API ecosystem. Implemented API management as a cloud-based, software-as-a-service (SaaS) solution. Embraced widely used standards and protocols to make the system easily usable for developers and to provide comprehensive analytics and monitoring.
• Benefits – On-boarded partners securely and efficiently. Using the technology to drive traffic and expand the company’s footprint and improve innovation. Increased speed with lightweight, simple protocols. Implemented policy-based management, security, caching, and analytics out of the box.

Business to Business use case in retail industry

• Challenges
• Solution - API management enabled the company to offer APIs to developers and to manage the APIs.
• Benefits - Scaled reach to millions of users. Fostered co-innovation with developers. Maintained control over apps without having an app-store-like review process. Leveraged existing technology and reduced the need for re-engineering.

8.    What social medial channels does SAP API Management offer?

1. YouTube: http://spr.ly/youtube-sap-api-management
2. Facebook: https://www.facebook.com/sapdevelopers
3. Twitter: https://twitter.com/SAPdevs
4. SCN: http://scn.sap.com/community/api-management
5. LinkedIn: https://www.linkedin.com/grp/home?gid=4554629

9.Where can I learn more on SAP API Management?

We have great resources to get you started with SAP API Management for e.g. SCN - http://scn.sap.com/community/api-management, SAP - http://www.sap.com/api-management, Social media channels.

10.  How is the solution able to expose registered services to external parties?

The SAP API Management (currently offered as an on-premise solution and running along with SAP Process Orchestration) provides capabilities to Register and expose Services as APIs and supports REST, OData, SOAP or any other HTTP based services.

11.  Does SAP API Management have the ability to monitor performance and utilization of all registered services?

The SAP API Management comes with comprehensive analytical capabilities to analyse the exposed APIs and backend service performance,  latency, error rate, average response times, moving average, anomalies, etc. to just name a few. These capabilities will let you inspect and troubleshoot any issues in the system.

12.  Is there a dashboard of who is consuming the APIs?

The Management User interface that comes with SAP API Management comes with an intuitive dashboard that includes various views such as: API traffic, top executed APIs, top Developers, etc. These out of the box dashboards can be extended to include customer reports and add them to existing or new dashboard views.

13.  How is the governance managed in SAP API Management?

SAP API Management’s runtime engine is policy driven. This means that policies are decoupled from the service definition and can be dynamically linked to these APIs or services to enforce minimal or maximum levels of operation and Quality of Service. It is possible to use from an existing out of the box set of policies or create your own.

14.  Can this solution link to backend ESB services or additional data sources?

SAP API Management provides capabilities to connect to any set ESB services running locally or remotely. In the same way it can exposed APIs or services for consumption, it can also connect and integrate with a variety of backend systems as well.

15.  Does it have the ability to apply and change policies to APIs for security, throttling, prioritization, rate limitations with no API downtime?

SAP API Management provides a High Availability setup and configuration. In addition, the Comprehensive Provisioning and Deployment set of capabilities enables the quick association of policies to services through a single click and automatically switch to a new API or service behavior.

16.  Does it have the ability for consumers to self-serve on specified APIs?

The Developer services of SAP API Management enables developers (the target audience for API management) to self-service themselves and use any published API or service. This is done through an intuitive web-based interface.

17.  Does it have the ability to insert or restrict certain behaviors?

The policy driven API runtime of SAP API Management enables API developers to define and modify the behavior of the APIs or services de-coupled from the integrated target or backend service or system.

18.  What are the throttling capabilities of SAP API Management?

Among some of the most relevant capabilities offered by SAP API Management to manage access on API or services we find: quotas for a time period, concurrency access limits, and acceptable spike limits, configuration of caches to accelerate and boost performance.

API SECURITY

1. What are the security capabilities of SAP API Management

• The security policies of SAP API Management provide XML Threat protection, JSON Threat Protection in addition to Message Validation policy for XML Schemas (XSDs) and WSDL definitions.
• HTTP header filtering and evaluation of content-level & regular expression validation

The mediation policies that can be defined and associated to an API or Service enable extraction, filtering and manipulation of messages including headers, URI paths, payloads, and query parameters.

• Enforcement of rules for identity, HTTP verbs and URI’s, etc.

SAP API Management’s API runtime enables fine grained policy definition providing policy enforcement on API Resources (URIs, HTTP verbs) level.

• Identity & Access Management and Active Directory support

SAP API Management provides capabilities to leverage any external identity provider for Authentication and Authorization including Active directory.

2. What are the different authentication mechanisms supported by SAP API Management?

• SAML 2.0

SAP API Management provides capabilities to generate and validate SAML assertions. The API platform can act as an identity provider and as a service provider as well.

• OAUTH

SAP API Management provides capabilities to configure and enforce OAuth authorization using out of the box policies.

• Client Certificate

SAP API Management provides Client SSL enabling authentication and encryption of all messages flowing over the network from SAP API Management to the backend services.

• Key & Certificate repository/management

SAP API Management provides capabilities to create keystores and truststores that provide the necessary keys and X.509 digital certificates.

Architecture and Development

1. How scalable is SAP API Management?

SAP API Management enables provisioning, governance, scalability and security of enterprise information for digital assets. Customers  can also scale upto billions of API calls.

2. What are the different Deployment options?

SAP API Management can be deployed either on-premise or in cloud. Customers with business sensitive information can also opt to deploy a mixed mode, using in-cloud option for B2C scenarios and on-premise for B2E scenarios.

3. What are the different on premise installation scenarios?

There are 5 different API Platform and Analytics installation option-

• Standalone (2 Hosts, SA-SAX)
• 5-host cluster (MIN HA02SAX)
• 9-host cluster (Performance HA Setup)
• 13-host cluster (Performance HA with separate data zone)
• 12-host cluster (MIN API traffic DR/AX HA)

4. What kind of application can we develop on SAP API Management?

The options on the kind of applications developed is boundless, but some of the common scenarios are

• Innovative apps for end consumers/ employees – the abundant back data can be securely accessed to create innovative apps to reach directly to consumers and provide relevant information to employees
• Internet of Things – Developer tools provided, help in creating apps that can communicate with each other via multiple devices and channels.

To check the FAQs for SAP API Management- In Cloud edition, please visit:SAP API Management - In Cloud Edition FAQ

     Dear All,

Hi I want to pass dropdown selected value from one page to another page.

How can i pass the value.

Regards,

Meghal Shah

Hi Gurus,

   I have created a query using Bex Query designer and it is working well in RSRT (Query Monitor) and when I try to broadcast the same query from RSRT it is working fine but when i try to broadcast same query from Portal, it is showing the following Message.

Although I am not having any restriction based on Fiscal year variant in my query.

Please suggest me some solutions.

Regards,

Deepak B.

Hi Experts,

please find my code in the below attached file. I am receiving the error that at line 15 ; is expected. I have even placed the ; at the end of the line but still it is not working. can you kindly help me in this regards.

Regards,

DP

Hi All

I am trying to do the System copy 'Homogeneous' from MSSQL2005 to SQL2012 on Windows.

I detached DB from source system and attached to the target system.

Then I run SAPInst from SWPM cd,

And selected homogeneous copy from existing DB, but it gives the following error and unable to continue the installation.

       " User tables belonging to the dbo schema were found in the database S11.

SOLUTION: You can only install an SAP system in a database with no user objects belonging to the system schema dbo.

If there already is an SAP system in the database (MCOD), or you install a Java Add-In, you might have to convert the existing system to its own schema, or contact your SAP support.  "

Anybody can help me to resolve this issue?

Thanks

Sel

Hi,

I have a requirement of doing pagination and the visible Row count is setting dynamically based on a dropdown value.I need to place this dropdown in the same row as the pagination occurs.

Screenshot of the requirementt is attached.

Please help me in this.

If you want to be acquainted to the WEBGUI, then this post should help you a bit...

What is the WEBGUI?

It is one of the three GUIs provided by SAP: SAPGUI for Windows, SAPGUI for Java and SAPGUI for HTML (a.k.a. WEBGUI). Read SAP note 710719 for more details about the SAPGUI family.

Where is the WEBGUI?

It is present in all SAP Netweaver ABAP application servers, as of release 6.40; for lower releases, it was available through the ITS 6.20 (installed in a separate server). Nowadays the ITS 6.20 is out of support (SAP note 197746).

When use the WEBGUI?

When you want to use a web browser to execute an ABAP transaction code (might be embedded inside the Enterprise Portal, CRM, NWBC).

Why use the WEBGUI?

Because it is a GUI that you do not need to install. Just use your favorite web browser (as long as supported by the Product Availability Matrix) and have fun! Ok, there are limitations too: SAP Note 314568 presents the list.

The WEBGUI service is available via the ITS (Internet Transaction Server).

Ok, what comes next? Issues involving ITS and WEBGUI (look for my other blog post)!

Yesterday, the sap.ui.table.Table I am using in my app started displaying the the rows (which contain carriage returns/newlines in the data) as having multiple lines of data (no change in data). I'm not certain how this happened, but it has the unwanted effect of making the table's height adjust as the user scrolls through the data (and if it extends past the screen height, things get really fun with table and page resizing). I wouldn't really mind the multi-row look if it was possible to have a fixed height on the table, so that partial rows would show, as with classic native app programs do. I've looked through all the properties, and I didn't see anything that I could imagine would have the desired effect. If it matters, I am using TextViews for my columns because I don't desire the data to be editable in the table due to the size/formatting of the data.

So to get to the point, is there a way to either:

1. Force the sap.ui.table.Table to display only one line, followed by "..." when the data extends past the column bounds as it was previously doing

or 2. Force the sap.ui.table.Table to have a fixed height and show partial last rows, similar to native app tables?

Thanks!

Hello!!

the client's requirement is to see the breakup of activity type on the production cost center and on lot wise order.

for example they want to see the report of FOH activity type on a production cost center or a batch or lot of an order with  the breakup of primary cost elements assigned to FOH.

is there any report available in standard or is it possible to develop any report?

This post contains suggestions about what to do in case of an issue appears while using the ITS/WEBGUI.

The first important information needed in ITS/WEBGUI cases: Kernel version and patch level and SAP_BASIS version and patch level. Why? Because the ITS/WEBGUI corrections are delivered via kernel patches and/or SAP_BASIS support packages. Note that not all corrections can be implemented via SNOTE.

For troubleshooting it is possible to use SAP notes 808347 (ITS 6.40 - preclarification and basic problem analysis) and 816973 (ITS 7.00 - preclarification and basic problem analysis). SAP note 816973 can also be used for release 7.01.

As of release 7.02 (kernel 7.20 or higher - e.g. 7.21, 7.22, 7.41 and 7.42), there is a major change in the ITS: the MIMEs (Javascript, CSS files) that were maintained in the database are now part of the kernel: the package ITS.SAR is delivered inside the disp+work package and is extracted by the ICM process.

Since it is possible to use the WEBGUI inside a different framework (Portal, CRM, NWBC), any issue faced during the execution of a transaction should be tested using the WEBGUI service directly, keeping less variables in the whole scenario. The WEBGUI service can be launched via transaction code SICF, navigating to /default_host/sap/bc/gui/sap/its/webgui. If the issue was not replicated via WEBGUI service, then it might be an issue in the other framework.

If the WEBGUI service is not working correctly, then a few steps should be taken:

     1. Have the ICM profile parameter set:

          icm/HTTP/file_access_XX = PREFIX=/sap/public/icmandir/,DOCROOT=$(DIR_ICMAN_ROOT),ARCHIVE=$(DIR_EXECUTABLE)/ITS.SAR

          (Replace XX by the first available value, starting with 0)

          This will guarantee that the ICM process will extract the ITS.SAR package

     2. Force the extraction of the file:

1. Delete (or rename) $DIR_DATA/icmandir/its
2. Delete (or rename) file $DIR_DATA/icmandir/last_update_ITS.txt
3. Restart the ICM process: SMICM -> Administration -> ICM -> Exit Soft -> Global
4. As a result, the ICM trace file should show entries like:

[Thr XXXX] HttpExtractArchive: extract archive /usr/sap/SID/DVEBMGS00/exe/ITS.SAR to /usr/sap/SID/DVEBMGS00/data/icmandir

SAPCAR: processing archive /usr/sap/SID/DVEBMGS00/exe/ITS.SAR (version 2.01)

SAPCAR: 14209 file(s) extracted

[Thr XXXX] HttpExtractArchive: archive /usr/sap/SID/DVEBMGS00/exe/ITS.SAR extracted to /usr/sap/SID/DVEBMGS00/data/icmandir

     3. Make sure that the nodes in SICF from path /default_host/sap/bc/gui/sap/its/webgui were not changed (i.e. guarantee that the standard configuration works)

     4. Test the scenario again

It is also useful to use some HTTP traffic capture tool, e.g. HttpWatch and Fiddler. The following KBAs show how to record HttpWatch traces, in different scenarios:

          1816543 - How to create HttpWatch trace to troubleshoot ITS related problem

          1817622 - How to trace an ITS Service directly using HttpWatch?

          1817693 - How to trace the ITS Service "WEBGUI" directly using HttpWatch?

SMP 3 Security - Principal Propagation

Topics

• Overview
• Preparation
• SMP Configuration
  • Using SMP’s base Certificate
• Debugging

Overview

Principal Propagation is a Single Sign On possibility. When a user got already authenticated SMP can use Principal Propagation to create a temporary user certificate and then use this user certificate for connecting to the backend system. The backend system would then create a session/context based on the user certificate. SMP needs for this a CA certificate that can be used to create X509 user certificates. It can be configured how the distinguished name of the user certificates should look like. Usually SMP would insert the user name (of the currently active SMP session) as the common name (cn). This temporary created user certificate has a limited lifetime (e.g. 10 minutes) and will be transferred in a header called SSL_CLIENT_CERT to the backend system. The backend system needs to be setup for client certificate authentication, SMP needs to be trusted as well as SMP's CA certificate. Additionally the connection between SMP and the backend should be secured by mutual https connection.

The process is described in following picture:

1) Data Request

A request is sent to SMP, e.g. a GET Request to receive some data from backend system

2) SMP Authentication

SMP will authenticate the user by applying the specified Authentication Providers. Inside the Security Profile there also needs to be defined the Principal Propagation Authentication Provider. the Principal Propagation Module cannot be used alone inside the Security Profile. It must be used in combination with another Authentication Provider that is authenticating the user (e.g. HTTP/HTTPS Authentication, LDAP, SAML2, ...)

3) Temporary User Certificate Creation

The Principal Propagation Module will then get the username (of the already authenticated user) from the current session and will create a user certificate (by using a specified CA certificate from SMP's keystore)

4) Request to Backend System

SMP will establish a mutual https connection to the backend system. That means, that SMP will use a (beforehand defined) client certificate to connect to the backend system. After that SMP attaches the created X509 user certificate as base64 encoded string into the header SSL_CLIENT_CERT and forwards the request to the backend system.

5) Backend System

The backend system receives the request and recognizes that a user certificate is given inside the SSL_CLIENT_CERT header. Because SMP got setup as trusted system and also the CA certificate is trusted, the backend system is using this user certificate to create a user session. There has to be a user/certificate mapping in place, so that the user certificate can be mapped to a concrete existing backend user.

6) Data Response

Backend system has now a valid session and will return the requested data

7) Data Response

SMP will forward the data response to the mobile device.

Preparation

In the following I will described the process for Principal Propagation in combination with a SAP Gateway.

Make sure that SSL is enabled on the Gateway server. Steps for this are described for example in following post:
Enabling SSL (HTTPS) on SAP Gateway .

Also test before if your Gateway system is prepared for certificate based authentication. Required steps are described here:

Configuring Client Certificate Authentication (mutual https) on SAP Gateway

Steps

1. Create (technical) user for SMP on Netweaver Gateway (in my case SMPCLIENT)
2. Create a user certificate for SMP (that is accepted by Netweaver Gateway)
   Test it by using transaction CERTRULE and importing SMP user's certificate
   
   
   
3. Create a CA certificate and key which can be used by SMP to create/sign temporary user certificates.
   Check if certificates created by this CA keypair are really trusted (and mapped) in Netweaver Gateway. If not create a new rule in CERTRULE
   (In my case my CA is called PrincipalPropCA)
   
4. Import both cert/key pairs (smpClient and PrincipalPropCA)  as .p12 files into SMP’s keystore
   e.g. by using KeyStoreExplorer or since SP08 by using the Certificate tab in Management Cockpit
   
   Remember the given alias names (required in later steps)
   You should stop SMP server, then change the keystore and then restart the server again
5. 5. Import PrincipalPropCA into your Server PSE in STRUST
    
6. 6. Add to the Gateway’s profile parameter the following parameters (in RZ10)
   (Server Restart required)
   Without these values SAP Gateway will not accept the user certificates sent inside the SSL_CLIENT_CERT header.

Values can be found inside the client certificate that is used by SMP to establish a mutual https channel to Gateway.

Tip: I recommend checking the exact values inside dev_icm log, because the string has to match exactly the sender, so e.g. if a space is missing it is not working. Simply execute it once, and check with ICM Trace set to 2. (see Debugging section)

Using SMP’s base Certificate

For testing scenarios you can also use smp’s base certificate: smp_crt
It is also tagged as CA certificate. You could use it for both (smp client as well as principal propagation CA).

But this should be only used for testing/development purpose...

SMP Configuration

Quick Overview

• Security Profile contains two Authentication Providers
  (Principal Propagation is not authenticating the user)
• The Subject Pattern in Principal Propagation Auth Provider Settings needs to be setup in the backend system as user mapping (usually Subject DN of X509 certificate)
• In Backend Configuration add the certificate alias which identifies a certificate (private key required) in SMP‘s keystore that is used by Principal Propagation Auth Provider to create the temporary user certificate
• In Backend configuration add „X509“ as SSO mechanism
• After the user got authenticated (by the first auth provider) the Principal Propagation Auth Provider will create a temporary user certificate for this specific user. This temporary user certificate will be attached as Header SSL_CLIENT_CERT to request against the backend
• The communication between SMP and backend should be encrypted by mutual HTTPS

Steps

Create a new app which points e.g. to an odata service from netweaver gateway. Choose as SSO mechanism “X.509”. Additionally you have to set the “Certificate alias”. Here you have to specify the alias name of the key pair which will be used to establish the mutual authentication channel between SMP and backend.

Additional information to SSO Mechanism (from SAP Help): X.509 Certificates

• Connects to the back end using the configured technical user X.509 certificate. The end-user certificate is passed in the SSL_CLIENT_CERT HTTP header. Configure the back end to allow the technical user to impersonate the end user and execute the request in the context of the end user. The end-user certificate may be generated by the Principal Propagation provider that is configured in the security profile, or it may be supplied by the end user when he or she authenticates to the server over a mutually authenticated HTTPS connection. You can use this mechanism with either the X.509 authentication provider or the Principal Propagation provider that is configured in the security profile.

Add a new security profile. Inside the Security Provider use an authentication provider to authenticate the user (in my case SAML2), then add Principal Propagation module as second provider

The Subject Pattern of the user certificate can be chosen. ${name} is the variable which gets replaced during runtime with the current authenticated username. This user certificate will be valid for 10 minutes only. It will be signed by PrincipalPropCA (which is a CA certificate pair that we imported into SMP’s keystore.

Debugging - ICM Logging/Tracing

Especially if communication between SMP and Gateway is not working, it makes sense to have a closer look on what exactly has been received on Netweaver side. For that you can increase the log level of ICM and then use the dev_icm log to check what has been received.

Open transaction SMICM and choose Goto > Trace Level > Set

And set it e.g. to "2 Full Trace"

After that execute a failing request, then check ICM Trace File:

E.g. the following error is thrown, if SMP is not setup correctly as trusted system on SAP gateway: Intermediary is NOT trusted / Reject untrusted forwarded certificate

HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields

Reject untrusted forwarded certificate (received via HTTPS with untrusted certificate): subject="

HttpModHandler: remove incoming ssl header

So you can see here, that the DN of SMP's client certificate is not exactly the same as that one we are trusting (missing spaces...). So we need to correct this in transaction RZ10:

Hi Experts,

I am facing an issue wherein in WEB UI PO confirmation is done and instead of ROC_Out ..RON_out is getting triggered.

In addtion to that i am getting an issue of ASSETION failed..but XML RON_out is getting generated and it is successful

ASSERTION_FAILED

/SCA/TSODM====================CP

|>>>>>|  ASSERT lt_return IS INITIAL.

I have activated ODM as per SAP note and made sure that ODM is maintained correctly.

In addition to that i have tried to activate planning object structures through /SCA/TSDM09 but getting the messaged that 9AINV1......planning structure object activation failed.

Could you please let me know the possible causes.

Also for ROC_Out Issue which is not triggering

I tried maintaining below validation setting :

Profile:POC3

Validation check:PO_PUBLISH_ACCEPTED_ITEMS

Validation check:PO_PUBLISH_CHANGED_ITEMS

Validation check:PO_PUBLISH_ACCEPTED_ITEMS

Status i have maintained as Inactive.

Please let me know what could be the solution so that ROC_Out will get triggered and also i would be able to resolve assertion issue and should be able to activate planning structure object.

I think all the above are related to single issue thats the reason i am posting this in one thread.

Regards

shailesh