Note 888687 - BEx Web Java: Analysis of communication/logon problems

简介:

Summary

Symptom

This note describes how to analyze logon problems and communication problems in the area of BEx Web Java. It illustrates ways of analyzing the most common errors and also describes the information that SAP Support require to process messages in this area efficiently.

Other terms

BEx Web, Web Application, broadcasting, RFC, HTTP, HTTPS, ABAP, Java, Single Sign-On, SSO

Reason and Prerequisites

You configure information broadcasting in a system landscape with SAP NetWeaver 2004 or a higher version.

or

You configure the "Enterprise Reporting, Query, and Analysis" IT scenario and, in particular, the "Query, Reporting and Analysis" scenario variant in a system landscape with SAP NetWeaver 2004s or a higher version.

When you test the configuration or when you execute an application, problems occur in the communication between the SAP Web Application Server Java and the SAP Web Application Server ABAP.

Solution
Classifying the problem

Information broadcasting and Java-based BEx Web Applications communicate differently between Java and ABAP. In the following section, the possible problems are divided into categories. Determine which category your question belongs to, read the information under "General procedure... " (depending on the communication protocol) and then read the section that deals specifically with your problem.

Note that there are two different protocols:

  • RFC communication: RFC communication is always used when the SAP Web Application Server JAVA and the SAP Web Application Server ABAP communicate "in the background", which means that they communicate with each other on the server. For instance, when query results are read to display them in a Java-based BEx Web Application or when precalculated HTML pages are generated in a batch job and the pages are then distributed to a Knowledge Management folder using information broadcasting.
  • HTTP(S) communication: This type of communication uses the Web browser as an interim step. For example, it is used when the BEx broadcaster (which is an ABAP-based BEx Web Application) is called from a Java-based BEx Web Application. It is also used in the BEx broadcaster when the dialog box for selecting the folder is called to export the data into the portal, and this has been implemented as a Java iView. Technically, the two actions specified here are executed when a URL is started on the client side.


It is important to bear the direction of the communication in mind:

  • Java to ABAP communication: The initiator of the action is on the Java side and the data recipient is on the ABAP side.
  • ABAP to Java communication: The initiator of the action is on the ABAP side and the data recipient is on the Java side.


Finally, there are the following two problem areas:

  • An error may occur when setting up the communication: This happens if a technical connection between the two systems cannot be established.
  • There may be an authentication (logon) error: The technical connection exists, but there is a problem identifying the user in the recipient that corresponds with the user in the initiator. Since both Java and ABAP work only with authenticated users and not service users, it is absolutely necessary that the user logs on to the calling system correctly so that the overall scenario can function correctly.

           Note that logon tickets are used in the area of information broadcasting and Java-based BEx Web Applications. In these scenarios, the user does not need to log on to the Web browser or the SAP GUI twice. A double logon indicates that there is an error in the configuration. There are some exceptions to this rule, which render another logon necessary:

  • When you call a BEx Web Application or the Broadcaster from a BEx tool, such as the BEx Web Application Designer.
  • When you use a specific export format that references contents (for instance, MIME objects) from the SAP Web Application Server or other servers.


We shall now present information about more exact ways of analyzing the problems for each combination of the three subject areas that are mentioned above.

General procedure when using RFC as a communication protocol

If problems occur when you use RFC as a communication protocol, in the SAP J2EE Visual Administrator, use the following menu path

  • "<J2EE_SID>" -> "Server" -> "Services" -> "Log Configurator",

to change the following locations to the "ALL" severity to receive more exact information:

  • com.sap.ip.bi.webapplications
  • com.sap.portal.connectors.BW
  • com.sap.portal.ivs.semantic.systemLandscape
  • com.sap.portal.ivs.systemConnectionTests
  • com.sap.security.api.saml
  • com.sap.security.core.server.jaas
  • com.sap.security.core.server.saml
  • com.sap.security.core.session
  • com.sap.security.core.ticket
  • com.sap.security.core.umap
  • com.sap.security.core.util


Save the changes and distribute them to all server nodes. Do not forget to reset the values to their default values as soon as you have found the reason for the error. You do this to avoid unnecessary entries in the log and to prevent a negative impact on system performance.

After resetting the trace settings, carry out the action that caused the error again.

For more information about the cause of the error in an RFC communication, see the last entries in the dev_jrfc.trc file in the following directory

  • /usr/sap/<SID>/JC<SYSNR>/j2ee/cluster/server<#>

All RFC errors are logged in this file regardless of the direction of the communication. In most cases, this allows you to narrow down the cause of the error. You can also find the log entries for the individual components concerned in the following file

  • /usr/sap/<SID>/JC<SYSNR>/j2ee/cluster/server<#>/log/defaultTrace.trc

You can view these in the "Log Viewer" in SAP J2EE Visual Administrator. The newest entries are displayed at the top in the "Log Viewer", which differs from the dev_jrfc.trc file.

Note that for a cluster installation, extra files are created for each server node. Since you cannot determine which server node is processing the RFC request, you may have to go through all these files.

Necessary information for SAP support when you open an OSS message and when you use RFC as a communication protocol

Ensure that you provide the following information in a message. By providing all the information, you can speed up the message processing because there is no need for further clarifications:

1. SAP support also requires the dev_jrfc.trc and defaultTrace.trc files for troubleshooting. Proceed as described under "General procedure when using RFC as a communication protocol"

If you create an OSS message, attach these files to the message in the case of RFC communication problems. Ensure that you copy the files directly from the respective server and avoid making any format conversions.

If your system is a cluster installation, attach the files of all cluster nodes to the message. This is necessary because there is no way of determining which server node is processing the RFC request.

2. Also, attach the ABAP certificate to the message as an attachment. You can export this into a file by saving the corresponding certificate by selecting "Export" in SAP J2EE Visual Administrator in "View" "TicketKeystore" under "<J2EE_SID>" -> "Server" -> "Services" -> "Key Storage".

3. Create screenshots of the login module settings and attach these to the message. The settings are under "<J2EE_SID>" -> "Server" -> "Services" -> "Security Provider" in SAP J2EE Visual Administrator. In the settings, select "ticket" under "Components " and choose 'Toolbar' to go to change mode. Select "com.sap.security.core.server.jaas.EvaluateTicketLoginModule" in the list of the "login modules' and choose "Modify". Change the window size and the column sequence in such a way that all entries that exist there are visible, and then create the screenshot. In the same way, proceed under "evaluate_assertion_ticket" with the "com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule" login module.

4. SAP support also requires an ABAP user name, for which there is a counterpart in J2EE, and the passwords of both users.

5. Finally, name the RFC destination that is used for the communication.

Communication errors in RFC-based Java to ABAP communication

To determine the correct SAP NetWeaver BI ABAP system, the system tries to determine the correct logon parameters for an RFC logon using the alias in the portal system landscape. If this is successful, the system transfers the parameters to the JRFC interface and this interface is responsible for the actual communication.

Typical problems and their characteristic error messages are as follows:

  • The user does not have any read authorization for the system alias in the portal system landscape.
  • Error message: "No permission for system alias ..." in the defaultTrace.trc log file.
  • Solution: In portal system landscape maintenance, under "Authorizations", select the "User" checkbox for the "Everyone" user group, for another role or another user group to which the user is assigned, or select it for a list of single users.
  • A parameter is missing from the system parameters and this parameter is necessary for setting up the connection.
  • Error message: "'...' is missing" in the dev_jrfc.trc log file
  • Solution: In the portal system landscape maintenance, check the parameters that were entered in the "Connector" category for your SAP NetWeaver BI ABAP system. The system needs the parameter specified in the error message for the connection setup, but this has not been entered.
  • A system parameter is not specified correctly causing the connection setup to fail.
  • Error message: "hostname '...' unknown", "service '...' unknown" or an error message in the dev_jrfc.trc log file
  • Solution: Correct the incorrect parameter in the "Connector" settings in the System Landscape Editor in the portal.

Communication errors in RFC-based ABAP to Java communication

In ABAP to Java communication, the SAP J2EE Engine works as an RFC server. When you start up the J2EE Engine the "JCo RFC Provider" registers itself under a unique name on the RFC gateway. After this registration, you can perform an RFC call from ABAP. This call is addressed to the RFC gateway, which forwards it to the "JCo RFC Provider" of the SAP J2EE Engine.

Typical problems and their characteristic error messages are as follows:

  • A system parameter is not specified correctly causing the connection setup to fail.
  • Error message: "hostname '...' unknown", "service '...' unknown" or an error message in the dev_jrfc.trc log file
  • Solution: Correct the incorrect parameter in the settings of the RFC Bundle in the J2EE Visual Administrator in "<J2EE_SID>" -> "Server" -> "Services" -> "JCo RFC Provider".

Authentication errors in RFC-based Java to ABAP communication

After the successful physical connection, the SAP Web Application Server ABAP tries to log the user on using the information available. In the areas of information broadcasting and the "Enterprise Reporting, Query, and Analysis" IT scenario, the system usually uses logon tickets to log the user on.

Typical problems and their characteristic error messages are as follows:

  • The SAP Web Application Server ABAP does not accept the logon ticket created by the SAP Web Application Server Java because it does not recognize the certificate with which the ticket was created.
  • Error message: "The issuer of the SSO ticket could not be checked" in the dev_jrfc.trc log file
  • Solution: In Transaction STRUSTSSO2 in the SAP Web Application Server ABAP, check whether the certificate of the SAP Web Application Server Java appears under "Certificate list" and under "Logon ticket". The client in "Logon Ticket" should usually be specified as "000". An empty value here is not valid. Also check in the tree view on the right-hand side of the screen to see if a green traffic light is displayed for all application servers in "System PSE". If this is not the case, the information on the respective application servers is obsolete. In this case, select "Distribute" from the context menu for "System PSE" until all application servers display a green traffic light.
  • There is no ABAP user assigned for the calling J2EE user. This error only occurs if the user ID for the J2EE user and the ABAP user are not the same.
  • Error message: "Name or password is not correct (repeat the logon)" in the dev_jrfc.trc log file
  • Solution: Check if a user assignment (user mapping) exists for the user for the SAP User Management Engine (UME) master system. Here, it is important that mapping in the UME master system is always used to determine the ABAP user name. This is also the case when you want to open a connection to a system that is not a UME master system.
  • The SAP Web Application Server ABAP is not maintained as a UME reference system and therefore, SSO tickets are not issued correctly.
  • Error message: " message: 'password' missing" in the dev_jrfc.trc log file"
  • Solution: Enter the SAP Web Application Server ABAP as a UME reference system and start the SAP Web Application Server Java so that the settings are transferred.
  • The logon method is not set to "SAPLOGONTICKET" in the system in the system landscape maintenance portal, which is assigned to the SAP Web Application Server ABAP.
  • Error message: "message: 'user' missing" in the dev_jrfc.trc log file"
  • Solution: Set the "Logon Method" parameter to "SAPLOGONTICKET" in the SAP Web Application Server ABAP in the system landscape maintenance portal.
  • The times of the system clocks between the SAP Web Application Server JAVA and the SAP Web Application Server ABAP do not correspond. As a result, the SAP logon ticket issued by the SAP Web Application Server JAVA is not yet valid or is no longer valid.
  • Solution: Synchronize the two system clocks so that the system can determine the validity of the SAP logon ticket correctly.


If the errors specified above do not apply or do not help solve the problem, you can determine the exact error by following the steps in Note 495911 describing how to record a logon trace.

Authentication errors in RFC-based ABAP to Java communication

JAAS login modules run for the authentication of a user on the J2EE side. Login module "com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule" is used in this case for the RFC-based ABAP to Java communication. See "Component", "evaluate_assertion_ticket" for this login module. This login module only accepts logon tickets from systems that have a certificate that is known by the J2EE Engine and that were also specified in the configuration of the login module. If the J2EE user ID is different to the ABAP user ID, an "inverse" user mapping is used to determine the J2EE user ID. For this, the user mapping is interpreted "backwards" for the UME master system.

Typical problems and their characteristic error messages are as follows:

  • The login module does not accept any RFC logons from the calling ABAP system.
  • Error message: ABAP short dump "Incoming call is not authorized."
  • Solution: Check the correct configuration of the login module in accordance with Note 721815. That notes describes the procedure for EvaluateTicketLoginModule. In the case of an RFC logon, you must configure the EvaluateAssertionTicket login module instead of the login module under "evaluate_assertion_ticket".

                    You can determine "issuer distinguished name" and "subject distinguished name" for the note mentioned above by selecting the certificate of your BW back-end system under "<J2EE_SID>" -> "Server" -> "Services" -> "Key Storage", "View" "TicketKeystore" and copying the values after "[ issuerDN ]" and "[ DN ]" to the clipboard. You must pay particular attention to upper/lower case, blank characters and so on.

                    Check the correct configuration of the login module as described in Note 721815. The defaultTrace.trc log file contains information about the reason why the logon attempt was unsuccessful.

  • The "inverse" user assignment (user mapping) is not unique.
  • Error message: com.sap.security.api.umap.MultipleHitException: Too much hits found
  • Solution: For a specified ABAP user, the system found more than one Java user for which a user assignment for that ABAP user is maintained. However, this "inverse" user assignment must be unique for the ABAP to JAVA communication because otherwise, the UME system cannot determine which JAVA user must be logged on. Determine which Java users are mapped to the ABAP user and delete all user assignments except for one.
  • The times of the system clocks between the SAP Web Application Server ABAP and the SAP Web Application Server JAVA do not correspond. As a result, the SAP logon ticket issued by the SAP Web Application Server JAVA is not yet valid or is no longer valid.
  • Error message: Ticket is not yet valid... / Ticket is not valid until ...
  • Solution: Synchronize the two system clocks so that the system can determine the validity of the SAP logon ticket correctly.


General procedure when using HTTP(S) as a communication protocol

When you use HTTP(S) as a communication protocol, it is important to know the name of the URL from which the incorrect page is called. You must also determine the URL that was called. To determine the two URLs, right-click the respective browser window and select "Properties" (MS Internet Explorer) or "This Frame" -> (if it is available) "View Frame Info" or "View Page Info" (Firefox) from the browser context menu. The URL is displayed in a browser dialog. Choose this URL and select Ctrl+A to highlight it. Select Ctrl+ to copy the URL to the clipboard. Ensure that you copy the complete URL.

Necessary information for SAP support when you open an OSS message and when you use HTTP(S) as a communication protocol

Ensure that you provide the following information in a message. By providing all the information, you can speed up the message processing because there is no need for further clarifications:

1. If you are having problems using HTTP(S), specify the two URLs that are determined under "General procedure when using HTTP(S) as a communication protocol" in the OSS message.

2. SAP support also requires an ABAP user name, for which there is a counterpart in J2EE, and the passwords of both users.

Communication errors in HTTP(S)-based Java to ABAP communication

The URL is generated based on the information defined for the respective SAP Web Application Server ABAP in the System Landscape Editor portal in "SAP Web Application Server (WAS)".

Typical problems and their characteristic error messages are as follows:

  • The parameters for the ABAP SAP Web Application Server are not maintained correctly.
  • Error message: "The page cannot be displayed" or the return value 404 is displayed in the Web browser
  • Solution: Check the parameters and correct them. The simplest way to obtain the correct values is to execute a test run in Transaction SE37 in the ABAP system for the "RSBB_URL_PREFIX_GET" function module, in which you specify "HTTP" or "HTTPS" for the "I_PROTOCOL" parameter depending on your configuration.


Communication errors in HTTP(S)-based ABAP to Java communication

The URL is generated based on the information defined in the SAP Web Application Server ABAP in the "RSPOR_T_PORTAL" view. You can use Transaction SM30 to display and modify this information, if required.

Typical problems and their characteristic error messages are as follows:

  • The parameters for the J2EE system are not maintained correctly.
  • Error message: "The page cannot be displayed" or the return value 404 is displayed in the Web browser
  • Solution: Check the "URL Prefix for Portal" parameter and correct it. The parameter must contain the same protocol name, server name and port that you use to call the portal main page, for instance.

Authentication errors in HTTP(S)-based Java to ABAP communication

The SAP Web Application Server ABAP in HTTP(S) only accepts queries that come from a system with a certificate that is known by the system.
The same problems may occur as those specified in the "RFC-based Java to ABAP communication" section. Although detailed error messages are not written to a log file, you should still carry out the steps described in "Solution".

You can also implement Note 495911 in this case.

Problems with the format of the URL may also prevent the exchange of cookies between ABAP and Java and as a result the behavior of Single Sign-On is incorrect. For more information about this, see Note 654982 and also Note 830830, which applies to BEx Web Applications.

Authentication errors in HTTP(S)-based ABAP to Java communication

JAAS login modules run for the authentication of a user on the J2EE side. The "EvaluateTicketLoginModule" login module is used for this for the HTTP(S)-based ABAP to Java communication. See "Component", "Ticket" for this login module. This login module only accepts logon tickets from systems that have a certificate that is known by the J2EE Engine and that were also specified in the configuration of the login module. If the J2EE user ID is different to the ABAP user ID, an "inverse" user mapping is used to determine the J2EE user ID. For this, the user mapping is interpreted "backwards" for the UME master system.

Typical problems and their characteristic error messages are as follows:

  • The login module does not accept any HTTP(S) logons from the calling SAP Web Application Server ABAP.
  • Error: The end user is asked for logon data again (Basic Authentication dialog box)
  • Solution: Check the correct configuration of the login module as described in Note 721815. The defaultTrace.trc log file contains information about the reason why the logon attempt was unsuccessful.


Problems with the format of the URL may also prevent the exchange of cookies between ABAP and Java and as a result the behavior of Single Sign-On is incorrect. For more information about this, see Note 654982 and also Note 830830, which applies to BEx Web Applications.

Additional Information

For further information, see the following sources.

For communication errors:

  • SAP NetWeaver Problem Analysis Guide "JCo Exceptions": http://help.sap.com/saphelp_erp2005/helpdata/en/6c/7ffb3f6c78ee28e10000000a1550b0/frameset.htm


For authentication errors:

  • SAP Online Help "Administration When Using Logon Tickets": http://help.sap.com/saphelp_erp2005/helpdata/en/e3/e86878c8204acc856d8d5da4a54fa4/frameset.htm
  • How-to Guide "How to Configure Single Sign-On in a Complex System Landscape": https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/security/How%20to%20Configure%20SSO%20in%20a%20Complex%20System%20Landscape.pdf

Header Data

Release Status: Released for Customer
Released on: 10.04.2006  16:33:32
Master Language: English
Priority: Recommendations/additional info
Category: Help for error analysis
Primary Component: BW-BEX-ET-WEB BEx Web ABAP Runtime
Secondary Components: BW-BEX-ET-BC Broadcasting
BW-BEX-ET-WJR BEx Web Java Runtime
专注于企业信息化,最近对股票数据分析较为感兴趣,可免费分享股票个股主力资金实时变化趋势分析工具,股票交流QQ群:457394862
分类:  SAP BI

本文转自沧海-重庆博客园博客,原文链接:http://www.cnblogs.com/omygod/archive/2011/09/15/2177043.html,如需转载请自行联系原作者
目录
相关文章
|
5月前
|
SQL 监控 安全
Java Web应用的安全防护与攻防策略
Java Web应用的安全防护与攻防策略
|
4月前
|
安全 前端开发 Java
Web端系统开发解决跨域问题——以Java SpringBoot框架配置Cors为例
在Web安全上下文中,源(Origin)是指一个URL的协议、域名和端口号的组合。这三个部分共同定义了资源的来源,浏览器会根据这些信息来判断两个资源是否属于同一源。例如,https://www.example.com:443和http://www.example.com虽然域名相同,但由于协议和端口号不同,它们被视为不同的源。同源(Same-Origin)是指两个URL的协议、域名和端口号完全相同。只有当这些条件都满足时,浏览器才认为这两个资源来自同一源,从而允许它们之间的交互操作。
Web端系统开发解决跨域问题——以Java SpringBoot框架配置Cors为例
|
4月前
|
Java Maven Android开发
解锁Web开发新技能:从零开始的Struts 2之旅——让你的Java编程之路更加宽广,首个应用实例带你飞!
【8月更文挑战第31天】对于初学者,掌握 Struts 2 框架不仅能提升 Web 开发能力,还能深入了解 MVC 架构。Struts 2 是一个基于 Servlet 的 Java 框架,提供表单验证、文件上传、国际化等功能,便于快速构建易维护的 Web 应用。本文通过示例演示如何从零开始搭建环境并创建一个简单的 Struts 2 项目,包括配置 `struts.xml`、编写 Action 类及视图文件,并配置 web.xml。通过这些步骤,你将学会基本的开发流程,为进一步学习高级功能打下基础。
66 0
|
5月前
|
消息中间件 Java 微服务
构建可扩展的Java Web应用架构
构建可扩展的Java Web应用架构
|
6月前
|
自然语言处理 前端开发 Java
Servlet与JSP:Java Web开发的基石技术详解
【6月更文挑战第23天】Java Web的Servlet与JSP是动态网页的核心。Servlet是服务器端的Java应用,处理HTTP请求并响应;JSP则是结合HTML与Java代码的页面,用于动态内容生成。Servlet通过生命周期方法如`init()`、`service()`和`destroy()`工作,而JSP在执行时编译成Servlet。两者在MVC架构中分工,Servlet处理逻辑,JSP展示数据。尽管有Spring MVC等框架,Servlet和JSP仍是理解Web开发基础的关键。
114 12
|
6月前
|
存储 Java 关系型数据库
基于Servlet和JSP的Java Web应用开发指南
【6月更文挑战第23天】构建Java Web应用,Servlet与JSP携手打造在线图书管理系统,涵盖需求分析、设计、编码到测试。通过实例展示了Servlet如何处理用户登录(如`LoginServlet`),JSP负责页面展示(如`login.jsp`和`bookList.jsp`)。应用基于MySQL数据库,包含用户和图书表。登录失败显示错误信息,成功后展示图书列表。部署到Tomcat服务器测试功能。此基础教程为深入Java Web开发奠定了基础。
137 10
|
6月前
|
存储 缓存 负载均衡
使用Java构建可扩展的Web应用
使用Java构建可扩展的Web应用
|
5月前
|
监控 负载均衡 Java
如何设计高可用性的Java Web应用程序
如何设计高可用性的Java Web应用程序
|
5月前
|
Java UED
Java Web 中forward 和 redirect 的区别
在Java Web开发中,页面跳转是构建用户界面和实现业务逻辑的重要组成部分。Forward(转发)和Redirect(重定向)是两种常见的跳转方式,它们分别具有不同的特点和适用场景。正确地选择和使用这两种跳转方式,有助于提高Web应用的性能、用户体验和代码可维护性。
88 0
|
5月前
|
SQL 安全 Java
Java Web应用的安全防护与攻防深度剖析
Java Web应用的安全防护与攻防深度剖析