Prepare SAP HANA server For SSL

The COMMONCRYPTOLIB and OPENSSL (If you are using self signed certificate) are required on the HANA server. This is normally already installed along with your HANA installation.

CommonCryptoLib (libsapcrypto.so) is installed by default as part of SAP HANA server installation at $DIR_EXECUTABLE.

direxe

Check OPENSSL.

openssl

Certificates stored in the file system are contained in database-specific personal security environments or PSEs (default $SECUDIR/sapsrv.pse).

Navigate to $SECUDIR

secdir

This ensures all the prerequisites are met and all environment variables are properly set.

  1. Create the PSE and Server Certificate Requests Using SAPGENPSESAPGENPSE1Important Note:
    • Do not enter password when requested for PSE PIN/paraphrase as it is not supported!
    • Also, to secure internal communication, canonical name should be host specific, eg CN=”<hostname_with_domain>”. So when creating private CA on each host, parameter CN will be unique.


    This creates two files:

    TUT1

  2.  Create root the certificate for this hostsecstore2Here you can use the pass phrase that you want.
    You now have two more files in the directory:cakey
  3. Sign the certificate request.You can get the certificate signed by CA. But since this is just for demo, we will sign the certificate using openssl.ca23
    A new file with name sapsrv.pem will be created in the same directory, $SECURDIR
    cer1With this step you have the certificate ready that can be used on Client machines.
    In the next blog we will see how to use this certificate to login to HANA Database via HANA Studio using SSL.
  4. Import the server certificate into pse.impcertNote that the pse file has a new timestamp with certificate added.certadd

 

Import SAP Notes:

2487639 – HANA Basic How-To Series – HANA and SSL – MASTER KBA

2183363 – Configuration of SAP HANA internal network

2009483 – PSE Management in Web Administration Interface of SAP Web Dispatcher

2487698 – HANA Basic How-To Series – HANA and SSL – establishing a secured ODBC/JDBC connection using HANA Studio

2416525 – Single SSL Certificate with FQDN configuration for HANA Scaled out / MDC in HANA Studio

 

Could not open app – SAP Fiori

In continuation to my previous blog cannot load tile – SAP Fiori, I continue discussion the other error we faced after the upgrade of S/4HANA system from 1511 to 1610.

“Could not open app. Please try again later”.

could not open app

Troubleshooting steps:

Ensure that the following steps are taken care off after the upgrade:

  1. Review OSS note 2346431 – SAP S/4HANA 1610: Release Information Note (https://launchpad.support.sap.com/#/notes/0002346431) and apply all the recommended notes mentioned for the target FPS/SPS level you just upgraded to. As a suggestion, apply all SAP_ABA, SAP_BW, and SAP_BASIS to both Frontend and Backend. While S4Core are only for backend.
  2. Ensure the scheduling of report /UI5/APP_INDEX_CALCULATE is running and if not, please schedule and run the job.
  3. Ensure the scheduling of report /UI2/GET_APP_DESCR_REMOTE is running and if not, please schedule and run the job.
  4. Ensure the following reports are also run in the Frontend Server:
    a. /UI2/CHIP_SYNCHRONIZE_CACHE
    b. /UI2/DELETE_CACHE_AFTER_IMP

If this does not solve your issue, jump to next steps:

Create RFC destinations as per SAP note SAP Note 2269272 and Replicate App Descriptors from Back-End System.

Check again if your app works. If not continue with next steps:

Compare the App details from the app launcher with the details on the SAP Fiori App Reference Library. 

App launcher url looks like:

<http/s>://mys4hanasystem<HTTP/HTTSport>/sap/bc/ui5_ui5/sap/arsrvc_upb_admn/main.html

On app launcher, you  should find the Odata (/n/iwfnd/maint_service) and ICF service (SICF) details for the app that should be active on the front end server:

app launcher

Ensure that the SICF services are active and you are able to test it successfully and also the odata service is active and mapped to right System Alias.

Odata:

odata service

Note: Service here points to local system alias as I have my front end and back end configured on the same application. Please check correctness of your alias to be used.

SICF:

sicf.png

If you are not able to find the services for the app, its time for an incident towards SAP.

Please let me know if this solves your issues or if you have any questions in the comments below.

 

Random issues faced during Business Process Monitoring (BPM) configuration on Solman 7.2

In this blog i will try to note some issues I faced during configuration of Business Process Operations. Issues are peculiar and might not be relevant for everyone.

A. Issue with Solman_setup -> Basic Configuration -> Activation of BW content (For UPL, RCA…)

During this i faced issue activating BW content. Error is as below. No other logs in SLG1 or ST22 in the system.

bw content error

Solution: I had to restore the logical BW system from RSA1 to fix the issue.

RSA1 -> Modeling -> Source System -> BW -> Logical System

Ran activation again from Solman_Setup and everything went fine.

bw content error1

Probable Cause: We did a client copy to create a new client and something went wrong while running BDLS.

B. Issue with Solman_Setup -> Basic BPO Configuration -> Configure Solution Manager -> Configure Automatically

Activity “Activate BW Cubes” runs into error “BW content not activated”

bw content error2

Solution: Activated the related cubes ( 0SM_BPM, 0SM_BPMRH, OSM_BPMRD) manually from RSA1 as suggested by SAP Note 2434326.

bw content error3

C. Business process monitoring tile is not visible in Solman_workcenter.

Follow the below SAP Note:

2338589 – Troubleshooting for Blank Business Process Monitoring workcenter applications in SAP Solution Manager 7.2

  1. Check and ensure that the user profile used has the following roles applied:
    i.    Run transaction SU01 and display the user profile.
    ii.   Navigate to the Roles tab and confirm that the following roles have been applied:
    –  SAP_SMWORK_BPO
    –  SAP_SMWORK_SM_ADMIN
  2. Check and confirm that the necessary UI5 services are active:
    i.    Run transaction SICF.
    ii.   Enter /sap/bc/ui5_ui5 within the service path field and select Execute.
    iii.  Confirm that the following services are active:
    –  sap_bpm_alrep
    –  sap_bpm_hier
    –  sap_bpm_search
  3. Clear the system cache and internet browser cache:
    i.    Complete all steps contained in the following SAP KBA:
    2319491 – How to clean up the cache after applying changes that affect SAP Fiori apps.
    ii.   Delete the browsing history of the workstation’s internet browser.

 

Important Notes:

2320230 – How to Confirm “Activate BPMon Services” in Solution Manager 7.2’s BPO Configuration

2491759 – Migration for Business Process Monitoring from Solution Manager 7.1 to 7.2

 

GDPR for SAP – Are you ready?

Everyone keeping track of GDPR Clock should be already gearing up for compliance. Because the consequences of non-compliance could be damaging.

Under the new law, Personal data of your customers can only be gathered legally under strict conditions. Processing/handling/archiving/deleting this data should also be handled under strict rules.

We are part of Brexit! We do not have offices in EU countries! I do not know if this applies to us! By when should we be compliant!

You can find the answers to these questions at FAQ’s and Timelines.

It applies to everyone who is processing/using any data for customers from EU.

So even if you do not have a office in EU but do business with EU customers, you are in purview of GDPR.

When it comes to SAP, you should be thinking of but not limited to following aspects of Data.

  1. Any personal data of your customers should be secured. This includes from their official title (CEO/CFO/Director etc..) to their postal code. Make informed decisions.
  2. Be prepared to secure the data in you system already. Prevent unauthorized access to this information. Many might think this only applies to production systems, which is incorrect. Personal data in your Pre-Prod, Test, Development etc.. all are considered sensitive.
  3. Data should be archived/deleted unless it is absolutely required. Archived data should be safeguarded from unauthorized access.

This of course is a complicated and time taking process. But the great thing is there are already multiple tools readily available in the market which can completely automate this process.

Since we are talking about SAP, I would like to bring some of these tools to your notice which can help you make your SAP systems compliant.

  1. Lets start with Basics and the most crucial aspect. Check your authorization matrix. Ensure that only people who need access to personal data has access. Use tools like SAP GRC to  control authorizations, manage/mitigate/document risks.
  2. Protect the data in your non-production systems. Strict authorization controls on your non-production SAP system. Use tools that scramble test data in non-production systems. Some examples include, SAP TDMS and DATA Secure by EPI-USE. Another interesting tool could be SAP Field Masking Solution.
  3. Handle the data in your production system wisely. Archive or delete your data that is not necessary. Use tools like SAP ILM to manage the life cycle of your data.

Above are just some actions for compliance. There is much more to this than just using the tools like, appointing a Data Protection Officer (DPO), Legal advise etc..

Please share your experience regarding GDPR under comments.

 

Important SAP Notes:

2616471 – Data Protection and Privacy Features for SuccessFactors Reporting & Analytics

2649596 – GDPR Technical Basic Check

2579631 – GDPR (General Data Protection Regulation) in HCM