Adobe Document Services – A complete guide

Below steps explain Adobe Document Services (ADS) configuration for SAP:

ADS component runs on the Netweaver JAVA stack of SAP. So you can use, JAVA stack of Solution Manager, PO/PI, Enterprise Portal etc.. to connect to any ABAP stack application for generating PDF documents.

Install ADS on a SAP NW JAVA system:

ADS is by default not installed on the JAVA instance.  You must install it manually install the same if not already installed on your SAP JAVA engine. Ensure that you install the right version for you Netweaver stack.

Please refer to blog to install the component using telnet.

Install required libraries if running on Linux:

If your JAVA application is running on Linux, ensure that you have installed the required libraries as per below SAP Notes:

2029940 – IFbA: Required additional RPM package for ADS on Linux

1956394 – Troubleshooting for ADS OS native module termination on Unix platform

If this is not done, you might receive following errors when running FP_PDF_TEST_00.

“ADS: com.adobe.ProcessingException: com.adobe.Processin(200101)”.

And you might see following errors in the NWA logs:



Create users on JAVA:

Create user ADSUSER on JAVA engine with roles SAP_ADSCALLER and SAP_ADSMONITOR.

I suggest to make this a technical user.

Create users on ABAP:

Create user ADSAGENT and assign roles ADSCALLERS, SAP_BC_FPADS_ICF and SAP_BC_FP_ICF.

Activate the required services from SICF:


Create Destination for ABAP server with name FP_ICF_DATA_<SID> from NWA.




Create RFC from your ABAP to JAVA:

Path Prefix: /AdobeDocumentServices/Config?style=rpc



You are now done with the configuration of ADS

Test your ADS configuration:

Run report FP_TEST_00 (SE38/SA38):





Run report FP_PDF_TEST_00 (SE38/SA38):







If you get errors in any of these tests recheck your configuration. Check if any user is locked.

Additional SAP Notes for ADS configuration and troubleshooting:

1780404 – ADS problem on Solaris 11

2226341 – How to activate ADS trace in NW 7.1 and higher? [Video]

1503408 – Central Note for ADS on NW730

2420614 – IFbA: Suppress ADS error message from FP_PDF_TEST_00

1675976 – Password pop-up in ADS

1462986 – ADS Load Balancing

2029940 – IFbA: Required additional RPM package for ADS on Linux

1177315 – ADS RFC destination test return 403 / 404 / 405 code

2366561 – ADS RFC destination path prefix returns warning “Query string not allowed”

2395126 – HTTP 407 error in ABAP HTTP connection to ADS [VIDEO]


SAP Router Certificate Refresh

Procedure to refresh your expired SAP Router certificate with new one. I have included some screenshots for better understanding.

Check the validity of your router using below command:

sapgenpse get_my_name


Usually the validity of certificate is only for one year.

A. Login to SAP Market Place to get the distinguished name of your router server:


Before executing the next steps, make sure that you have taken the backup of complete SAPROUTER folder (Or which ever directory containing your SAP Router). Delete the following files local.pse, srcert, certreq and cred_v2 from SAPROUTER folder.

B. Generate the certificate Request with the command:

sapgenpse get_pse -v -r certreq -p local.pse “<Distinguished Name>”

sapgenpse get_pse -v -r “E:\usr\sap\saprouter\certreq” -p local.pse “CN=myserver, OU=0000123456, O=saprouter, O=SAP, C=DE”
Got absolute PSE path “E:\usr\sap\saprouter\local.pse”.
Please enter PSE PIN/Passphrase: ****
Please reenter PSE PIN/Passphrase: ****

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

Supplied distinguished name: “CN=Myserver, OU=0000123456, OU=SAProuter, O=SAP, C=DE”
Creating PSE with format v2 (default)
certificate creation… ok
PSE update… ok
PKRoot… ok
Generating certificate request… ok.
Certificate Request
Signed Part
Subject :CN=Myserver, OU=0000123456, OU=SAProuter, O=SAP, C=DE”
Key type :rsaEncryption 
Key size :2048
Signature algorithm :sha256WithRsaEncryption 
Signature (size=”2048″) :<Not displayed>

You will be asked to enter the pin twice. Do make a note of the pin as you will be using it later.

C. Create SAP Router Certificate:

On SAP Marketpace, select the certificate you want to generate the request for and continue:


Copy and paste the content of file “certreq” on the next screen (From begin to end and no space included)


Now your SAP Router certificate is ready. Copy the certificate from “Begin certificate” to “End Certificate” and paste the content to file named “srcert”, which must be created in the same directory as the sapgenpse executable.

D. Install the SAP router certificate

Install the certificate using the below command,

sapgenpse import_own_cert -c srcert -p local.pse

example output:

Please enter PIN:
CA-Response successfully imported into PSE “D:\usr\sap\saprouter\local.pse”

E. Create credentials for SAP router 

Execute below command to generate credentials for SAP Router.

sapgenpse seclogin -p local.pse -O <user_for _saprouter>

Example output:

running seclogin with USER=”routadm”
Please enter PIN:
Added SSO-credentials (#0) for PSE “E:\usr\sap\saprouter\local.pse”
“CN=myserver, OU=0000123456, OU=SAProuter, O=SAP, C=DE”

Note: The account of the saprouter user should always be entered in full <domainname>\<username>. If you do not enter a user here, credentials will be generated for currently logged in user.

This will create a file called “cred_v2” in the same directory as “local.pse”

F. Check the certificate.

Execute below command to check the new validity of the certificate:

sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

And below command to check the validity:

sapgenpse get_my_name

Sample output:

SSO for USER “routadm”
with PSE file “E:\usr\sap\saprouter\local.pse”

Subject : CN=myserver, OU=000012345, OU=SAProuter, O=SAP, C=DE
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
KeyInfo : RSA, 2048-bit
Validity – NotBefore: Fri Mar 010 17:22:45 2017
NotAfter: Thu Mar 08 17:22:45 2018

Client Copy – Performance improvement

Remote client copy from Production client to Quality? Not a good idea!

If you want to know why it is not a good idea, refer to SAP Note “489690 – CC INFO: Copying large production clients”.

But sometimes it is required to fulfill the requirement.

Lets see below some points that can help improve the performance of Copies.

Some other important notes below:

541311 – CC-INFO: Parallel processes FAQ

24853 – CC-INFO: Client copy, functionality

557132 – CC-TOPIC: Remote client copy

Its best to lock the source and target clients until the activities are done But again, “if it is Production”!

If the production client cannot be locked choose a low usage time frame.

  1. Empty the largest/time taking tables individually.

This saves lot of time during client delete. You should know these tables already from large table list of previous client copy logs.

Do not bother about these if you are planning to skip these from the copy.

SE14 –> Table Name

You can run deletion of multiple tables together.

Monitor the progress using SM37.

  1. Settings for Client Delete/Copy.

Below are generic settings for client delete and also the Client Copy.

SCC5/SCCL/SCC8/SCC9 à Expert Settings

Skip Empty tables:

Mark your big tables. Save the Biggest one for next step:

Add the biggest one in here:

Exclude the tables that you do not want to be Deleted or Copied here

Ensure to provide maximum number for parallel processes for the copy.

  1. Delete the Source Client.


Make sure you are logged in to the client you want to delete:

Monitor the progress from SCC3.

4 Perform Local/Remote Client copy or Export/Import.