Note 888687 - BEx Web Java: Analysis of communication/logon problems

Symptom

This note describes how to analyze logon problems and communication problems in the area of BEx Web Java. It illustrates ways of analyzing the most common errors and also describes the information that SAP Support require to process messages in this area efficiently.

Other terms

BEx Web, Web Application, broadcasting, RFC, HTTP, HTTPS, ABAP, Java, Single Sign-On, SSO

Reason and Prerequisites

You configure information broadcasting in a system landscape with SAP NetWeaver 2004 or a higher version.

or

You configure the "Enterprise Reporting, Query, and Analysis" IT scenario and, in particular, the "Query, Reporting and Analysis" scenario variant in a system landscape with SAP NetWeaver 2004s or a higher version.

When you test the configuration or when you execute an application, problems occur in the communication between the SAP Web Application Server Java and the SAP Web Application Server ABAP.

Solution
Classifying the problem

Information broadcasting and Java-based BEx Web Applications communicate differently between Java and ABAP. In the following section, the possible problems are divided into categories. Determine which category your question belongs to, read the information under "General procedure... " (depending on the communication protocol) and then read the section that deals specifically with your problem.

Note that there are two different protocols:

• RFC communication: RFC communication is always used when the SAP Web Application Server JAVA and the SAP Web Application Server ABAP communicate "in the background", which means that they communicate with each other on the server. For instance, when query results are read to display them in a Java-based BEx Web Application or when precalculated HTML pages are generated in a batch job and the pages are then distributed to a Knowledge Management folder using information broadcasting.

• HTTP(S) communication: This type of communication uses the Web browser as an interim step. For example, it is used when the BEx broadcaster (which is an ABAP-based BEx Web Application) is called from a Java-based BEx Web Application. It is also used in the BEx broadcaster when the dialog box for selecting the folder is called to export the data into the portal, and this has been implemented as a Java iView. Technically, the two actions specified here are executed when a URL is started on the client side.

It is important to bear the direction of the communication in mind:

• Java to ABAP communication: The initiator of the action is on the Java side and the data recipient is on the ABAP side.

• ABAP to Java communication: The initiator of the action is on the ABAP side and the data recipient is on the Java side.

Finally, there are the following two problem areas:

• An error may occur when setting up the communication: This happens if a technical connection between the two systems cannot be established.

• There may be an authentication (logon) error: The technical connection exists, but there is a problem identifying the user in the recipient that corresponds with the user in the initiator. Since both Java and ABAP work only with authenticated users and not service users, it is absolutely necessary that the user logs on to the calling system correctly so that the overall scenario can function correctly.

           Note that logon tickets are used in the area of information broadcasting and Java-based BEx Web Applications. In these scenarios, the user does not need to log on to the Web browser or the SAP GUI twice. A double logon indicates that there is an error in the configuration. There are some exceptions to this rule, which render another logon necessary:

• When you call a BEx Web Application or the Broadcaster from a BEx tool, such as the BEx Web Application Designer.

• When you use a specific export format that references contents (for instance, MIME objects) from the SAP Web Application Server or other servers.

We shall now present information about more exact ways of analyzing the problems for each combination of the three subject areas that are mentioned above.

General procedure when using RFC as a communication protocol

If problems occur when you use RFC as a communication protocol, in the SAP J2EE Visual Administrator, use the following menu path

• "<J2EE_SID>" -> "Server" -> "Services" -> "Log Configurator",

to change the following locations to the "ALL" severity to receive more exact information:

• com.sap.ip.bi.webapplications

• com.sap.portal.connectors.BW

• com.sap.portal.ivs.semantic.systemLandscape

• com.sap.portal.ivs.systemConnectionTests

• com.sap.security.api.saml

• com.sap.security.core.server.jaas

• com.sap.security.core.server.saml

• com.sap.security.core.session

• com.sap.security.core.ticket

• com.sap.security.core.umap

• com.sap.security.core.util

Save the changes and distribute them to all server nodes. Do not forget to reset the values to their default values as soon as you have found the reason for the error. You do this to avoid unnecessary entries in the log and to prevent a negative impact on system performance.

After resetting the trace settings, carry out the action that caused the error again.

For more information about the cause of the error in an RFC communication, see the last entries in the dev_jrfc.trc file in the following directory

• /usr/sap/<SID>/JC<SYSNR>/j2ee/cluster/server<#>

All RFC errors are logged in this file regardless of the direction of the communication. In most cases, this allows you to narrow down the cause of the error. You can also find the log entries for the individual components concerned in the following file

• /usr/sap/<SID>/JC<SYSNR>/j2ee/cluster/server<#>/log/defaultTrace.trc

You can view these in the "Log Viewer" in SAP J2EE Visual Administrator. The newest entries are displayed at the top in the "Log Viewer", which differs from the dev_jrfc.trc file.

Note that for a cluster installation, extra files are created for each server node. Since you cannot determine which server node is processing the RFC request, you may have to go through all these files.

Necessary information for SAP support when you open an OSS message and when you use RFC as a communication protocol

Ensure that you provide the following information in a message. By providing all the information, you can speed up the message processing because there is no need for further clarifications:

1. SAP support also requires the dev_jrfc.trc and defaultTrace.trc files for troubleshooting. Proceed as described under "General procedure when using RFC as a communication protocol"

If you create an OSS message, attach these files to the message in the case of RFC communication problems. Ensure that you copy the files directly from the respective server and avoid making any format conversions.

If your system is a cluster installation, attach the files of all cluster nodes to the message. This is necessary because there is no way of determining which server node is processing the RFC request.

2. Also, attach the ABAP certificate to the message as an attachment. You can export this into a file by saving the corresponding certificate by selecting "Export" in SAP J2EE Visual Administrator in "View" "TicketKeystore" under "<J2EE_SID>" -> "Server" -> "Services" -> "Key Storage".

3. Create screenshots of the login module settings and attach these to the message. The settings are under "<J2EE_SID>" -> "Server" -> "Services" -> "Security Provider" in SAP J2EE Visual Administrator. In the settings, select "ticket" under "Components " and choose 'Toolbar' to go to change mode. Select "com.sap.security.core.server.jaas.EvaluateTicketLoginModule" in the list of the "login modules' and choose "Modify". Change the window size and the column sequence in such a way that all entries that exist there are visible, and then create the screenshot. In the same way, proceed under "evaluate_assertion_ticket" with the "com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule" login module.

4. SAP support also requires an ABAP user name, for which there is a counterpart in J2EE, and the passwords of both users.

5. Finally, name the RFC destination that is used for the communication.

Communication errors in RFC-based Java to ABAP communication

To determine the correct SAP NetWeaver BI ABAP system, the system tries to determine the correct logon parameters for an RFC logon using the alias in the portal system landscape. If this is successful, the system transfers the parameters to the JRFC interface and this interface is responsible for the actual communication.

Typical problems and their characteristic error messages are as follows:

• The user does not have any read authorization for the system alias in the portal system landscape.

• Error message: "No permission for system alias ..." in the defaultTrace.trc log file.

• Solution: In portal system landscape maintenance, under "Authorizations", select the "User" checkbox for the "Everyone" user group, for another role or another user group to which the user is assigned, or select it for a list of single users.

• A parameter is missing from the system parameters and this parameter is necessary for setting up the connection.

• Error message: "'...' is missing" in the dev_jrfc.trc log file

• Solution: In the portal system landscape maintenance, check the parameters that were entered in the "Connector" category for your SAP NetWeaver BI ABAP system. The system needs the parameter specified in the error message for the connection setup, but this has not been entered.

• A system parameter is not specified correctly causing the connection setup to fail.

• Error message: "hostname '...' unknown", "service '...' unknown" or an error message in the dev_jrfc.trc log file

• Solution: Correct the incorrect parameter in the "Connector" settings in the System Landscape Editor in the portal.

Communication errors in RFC-based ABAP to Java communication

In ABAP to Java communication, the SAP J2EE Engine works as an RFC server. When you start up the J2EE Engine the "JCo RFC Provider" registers itself under a unique name on the RFC gateway. After this registration, you can perform an RFC call from ABAP. This call is addressed to the RFC gateway, which forwards it to the "JCo RFC Provider" of the SAP J2EE Engine.

Typical problems and their characteristic error messages are as follows:

• A system parameter is not specified correctly causing the connection setup to fail.

• Error message: "hostname '...' unknown", "service '...' unknown" or an error message in the dev_jrfc.trc log file

• Solution: Correct the incorrect parameter in the settings of the RFC Bundle in the J2EE Visual Administrator in "<J2EE_SID>" -> "Server" -> "Services" -> "JCo RFC Provider".

Authentication errors in RFC-based Java to ABAP communication

After the successful physical connection, the SAP Web Application Server ABAP tries to log the user on using the information available. In the areas of information broadcasting and the "Enterprise Reporting, Query, and Analysis" IT scenario, the system usually uses logon tickets to log the user on.

Typical problems and their characteristic error messages are as follows:

• The SAP Web Application Server ABAP does not accept the logon ticket created by the SAP Web Application Server Java because it does not recognize the certificate with which the ticket was created.

• Error message: "The issuer of the SSO ticket could not be checked" in the dev_jrfc.trc log file

• Solution: In Transaction STRUSTSSO2 in the SAP Web Application Server ABAP, check whether the certificate of the SAP Web Application Server Java appears under "Certificate list" and under "Logon ticket". The client in "Logon Ticket" should usually be specified as "000". An empty value here is not valid. Also check in the tree view on the right-hand side of the screen to see if a green traffic light is displayed for all application servers in "System PSE". If this is not the case, the information on the respective application servers is obsolete. In this case, select "Distribute" from the context menu for "System PSE" until all application servers display a green traffic light.

• There is no ABAP user assigned for the calling J2EE user. This error only occurs if the user ID for the J2EE user and the ABAP user are not the same.

• Error message: "Name or password is not correct (repeat the logon)" in the dev_jrfc.trc log file

• Solution: Check if a user assignment (user mapping) exists for the user for the SAP User Management Engine (UME) master system. Here, it is important that mapping in the UME master system is always used to determine the ABAP user name. This is also the case when you want to open a connection to a system that is not a UME master system.

• The SAP Web Application Server ABAP is not maintained as a UME reference system and therefore, SSO tickets are not issued correctly.

• Error message: " message: 'password' missing" in the dev_jrfc.trc log file"

• Solution: Enter the SAP Web Application Server ABAP as a UME reference system and start the SAP Web Application Server Java so that the settings are transferred.

• The logon method is not set to "SAPLOGONTICKET" in the system in the system landscape maintenance portal, which is assigned to the SAP Web Application Server ABAP.

• Error message: "message: 'user' missing" in the dev_jrfc.trc log file"

• Solution: Set the "Logon Method" parameter to "SAPLOGONTICKET" in the SAP Web Application Server ABAP in the system landscape maintenance portal.

• The times of the system clocks between the SAP Web Application Server JAVA and the SAP Web Application Server ABAP do not correspond. As a result, the SAP logon ticket issued by the SAP Web Application Server JAVA is not yet valid or is no longer valid.

• Solution: Synchronize the two system clocks so that the system can determine the validity of the SAP logon ticket correctly.

If the errors specified above do not apply or do not help solve the problem, you can determine the exact error by following the steps in Note 495911 describing how to record a logon trace.

Authentication errors in RFC-based ABAP to Java communication

JAAS login modules run for the authentication of a user on the J2EE side. Login module "com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule" is used in this case for the RFC-based ABAP to Java communication. See "Component", "evaluate_assertion_ticket" for this login module. This login module only accepts logon tickets from systems that have a certificate that is known by the J2EE Engine and that were also specified in the configuration of the login module. If the J2EE user ID is different to the ABAP user ID, an "inverse" user mapping is used to determine the J2EE user ID. For this, the user mapping is interpreted "backwards" for the UME master system.

Typical problems and their characteristic error messages are as follows:

• The login module does not accept any RFC logons from the calling ABAP system.

• Error message: ABAP short dump "Incoming call is not authorized."

• Solution: Check the correct configuration of the login module in accordance with Note 721815. That notes describes the procedure for EvaluateTicketLoginModule. In the case of an RFC logon, you must configure the EvaluateAssertionTicket login module instead of the login module under "evaluate_assertion_ticket".

                    You can determine "issuer distinguished name" and "subject distinguished name" for the note mentioned above by selecting the certificate of your BW back-end system under "<J2EE_SID>" -> "Server" -> "Services" -> "Key Storage", "View" "TicketKeystore" and copying the values after "[ issuerDN ]" and "[ DN ]" to the clipboard. You must pay particular attention to upper/lower case, blank characters and so on.

                    Check the correct configuration of the login module as described in Note 721815. The defaultTrace.trc log file contains information about the reason why the logon attempt was unsuccessful.

• The "inverse" user assignment (user mapping) is not unique.

• Error message: com.sap.security.api.umap.MultipleHitException: Too much hits found

• Solution: For a specified ABAP user, the system found more than one Java user for which a user assignment for that ABAP user is maintained. However, this "inverse" user assignment must be unique for the ABAP to JAVA communication because otherwise, the UME system cannot determine which JAVA user must be logged on. Determine which Java users are mapped to the ABAP user and delete all user assignments except for one.

• The times of the system clocks between the SAP Web Application Server ABAP and the SAP Web Application Server JAVA do not correspond. As a result, the SAP logon ticket issued by the SAP Web Application Server JAVA is not yet valid or is no longer valid.

• Error message: Ticket is not yet valid... / Ticket is not valid until ...

• Solution: Synchronize the two system clocks so that the system can determine the validity of the SAP logon ticket correctly.

General procedure when using HTTP(S) as a communication protocol

When you use HTTP(S) as a communication protocol, it is important to know the name of the URL from which the incorrect page is called. You must also determine the URL that was called. To determine the two URLs, right-click the respective browser window and select "Properties" (MS Internet Explorer) or "This Frame" -> (if it is available) "View Frame Info" or "View Page Info" (Firefox) from the browser context menu. The URL is displayed in a browser dialog. Choose this URL and select Ctrl+A to highlight it. Select Ctrl+ to copy the URL to the clipboard. Ensure that you copy the complete URL.

Necessary information for SAP support when you open an OSS message and when you use HTTP(S) as a communication protocol

Ensure that you provide the following information in a message. By providing all the information, you can speed up the message processing because there is no need for further clarifications:

1. If you are having problems using HTTP(S), specify the two URLs that are determined under "General procedure when using HTTP(S) as a communication protocol" in the OSS message.

2. SAP support also requires an ABAP user name, for which there is a counterpart in J2EE, and the passwords of both users.

Communication errors in HTTP(S)-based Java to ABAP communication

The URL is generated based on the information defined for the respective SAP Web Application Server ABAP in the System Landscape Editor portal in "SAP Web Application Server (WAS)".

Typical problems and their characteristic error messages are as follows:

• The parameters for the ABAP SAP Web Application Server are not maintained correctly.

• Error message: "The page cannot be displayed" or the return value 404 is displayed in the Web browser

• Solution: Check the parameters and correct them. The simplest way to obtain the correct values is to execute a test run in Transaction SE37 in the ABAP system for the "RSBB_URL_PREFIX_GET" function module, in which you specify "HTTP" or "HTTPS" for the "I_PROTOCOL" parameter depending on your configuration.

Communication errors in HTTP(S)-based ABAP to Java communication

The URL is generated based on the information defined in the SAP Web Application Server ABAP in the "RSPOR_T_PORTAL" view. You can use Transaction SM30 to display and modify this information, if required.

Typical problems and their characteristic error messages are as follows:

• The parameters for the J2EE system are not maintained correctly.

• Error message: "The page cannot be displayed" or the return value 404 is displayed in the Web browser

• Solution: Check the "URL Prefix for Portal" parameter and correct it. The parameter must contain the same protocol name, server name and port that you use to call the portal main page, for instance.

Authentication errors in HTTP(S)-based Java to ABAP communication

The SAP Web Application Server ABAP in HTTP(S) only accepts queries that come from a system with a certificate that is known by the system.
The same problems may occur as those specified in the "RFC-based Java to ABAP communication" section. Although detailed error messages are not written to a log file, you should still carry out the steps described in "Solution".

You can also implement Note 495911 in this case.

Problems with the format of the URL may also prevent the exchange of cookies between ABAP and Java and as a result the behavior of Single Sign-On is incorrect. For more information about this, see Note 654982 and also Note 830830, which applies to BEx Web Applications.

Authentication errors in HTTP(S)-based ABAP to Java communication

JAAS login modules run for the authentication of a user on the J2EE side. The "EvaluateTicketLoginModule" login module is used for this for the HTTP(S)-based ABAP to Java communication. See "Component", "Ticket" for this login module. This login module only accepts logon tickets from systems that have a certificate that is known by the J2EE Engine and that were also specified in the configuration of the login module. If the J2EE user ID is different to the ABAP user ID, an "inverse" user mapping is used to determine the J2EE user ID. For this, the user mapping is interpreted "backwards" for the UME master system.

Typical problems and their characteristic error messages are as follows:

• The login module does not accept any HTTP(S) logons from the calling SAP Web Application Server ABAP.

• Error: The end user is asked for logon data again (Basic Authentication dialog box)

• Solution: Check the correct configuration of the login module as described in Note 721815. The defaultTrace.trc log file contains information about the reason why the logon attempt was unsuccessful.

Problems with the format of the URL may also prevent the exchange of cookies between ABAP and Java and as a result the behavior of Single Sign-On is incorrect. For more information about this, see Note 654982 and also Note 830830, which applies to BEx Web Applications.

Additional Information

For further information, see the following sources.

For communication errors:

• SAP NetWeaver Problem Analysis Guide "JCo Exceptions": http://help.sap.com/saphelp_erp2005/helpdata/en/6c/7ffb3f6c78ee28e10000000a1550b0/frameset.htm

For authentication errors:

• SAP Online Help "Administration When Using Logon Tickets": http://help.sap.com/saphelp_erp2005/helpdata/en/e3/e86878c8204acc856d8d5da4a54fa4/frameset.htm

• How-to Guide "How to Configure Single Sign-On in a Complex System Landscape": https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/security/How%20to%20Configure%20SSO%20in%20a%20Complex%20System%20Landscape.pdf