Initial setup of profile generator in NW ABAP 7.5x Developer Edition

After installing NW ABAP 7.52 Developer Edition, you can run transaction PFCG and add new roles and authorizations. As the system is new, you first need to run transaction SU25 before you can create a new role and add authorizations to it.

Starting Profile Generator in PFCG for the first time will show a message.

Initially fill Profile Generator customer tables

Tx: SU25

Confirm that you know how to read SAP Notes.

The transaction shows a list of actions you can perform. As the system is a new one, do as the info message text stated: run action (1).

Click on Initially Fill the Customer Tables (1)

As the developer edition it is a standard SAP system, checking only the first item is enough.

The program is running and doing the needful.

After the loading finishes, a result screen is shown.

After executing the above steps, you can go back to profile generator and add new roles and authorizations.

Let the world know

Add OAuth 2.0 scope to client in Keycloak

After performing the previous steps in Keycloak, an OAuth 2.0 scope and client is available. To get the scope after the OAuth 2.0 client authenticates against Keycloak, you need to assign the scope to the client.

Log on to Keycloak and go to clients and select oidclient. This is the client created earlier.

Go to tab “Client Scopes”

Assign the previously created scope to the client.

Result

The scope is assigned to the client. Now the client can authenticate and Keycloak will issue the OIDC tokens and include the given scope.

Let the world know

Update PHP version on Amazon EC2

It was time to update the PHP version on my WordPress server. WordPress gave me warnings; the site health plugin gave me a warning. Plugins gave me warnings. PHP, IT news sites, the internet, warnings everywhere.

I knew that my PHP version was very old. But still supported. At least until beginning of 2019. When I configured the server for the first time several years ago, the installed PHP version was already not the latest. It was what yum install php gave me. Updating software is crucial, so I decided to finally touch my running system.

WordPress provides a site explaining how to update your PHP version. The update process in the documentation goes like: write an email to your hoster. Or: Not working in my case. For those that want to know how to update PHP on a Amazon AMI EC2 instance, here are the stops and my lessons learned.

Preparations

First, do a backup. Update WordPress and the plugins. Check that the plugins are compatible with PHP 7.2

  • Backup: See my blog on how to create a snapshot of a EC2 instance.
  • Update WordPress and plugins: Easy: just do as always and keep it up-to-date.
  • Check plugins for compatibility: A plugin is available to check the installed plugins and files for compatibility with PHP 7.x. Install and activate it and run a test.

The PHP Compatibility plugin is started from the WP Admin site. Hint: in my case, the plugin worked fine, but also crashed the server. After running it and saving the results, uninstall it.

This gives as an output an evaluation of the plugins and their compatibility status.

Update

Next step is to update PHP. Use the package manager for this. I’ll split the installation process in two parts: PHP and the additional packages.

sudo yum update
sudo yum install php72
sudo yum install php72-opcache php72-mysqlfnd php72-gd php72-pecl-imagick php72-bcmath

Result installation PHP 7.2

Result Installation of additional PHP packages

Activate PHP

After installing PHP 7.2 it must be activated. The old PHP version is still the default one, meaning that calling php is not calling php 7.2. To change the paths, run alternative. It will show the available alternatives and asks which one you want to use. I am going to use php 7.2, so the input here was 2.

alternatives --config php

php -version

Now PHP 7.2 is installed and activated. After restarting Apache WordPress will run on a newer PHP version.

Let the world know

Create OAuth 2.0 scope in Keycloak

OAuth uses scopes to restrict access to resources. “Scope is a mechanism in OAuth 2.0 to limit an application’s access to a user’s account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.” [link]

A service is assigned to a scope, therefore without being allowed to access a scope, you cannot access the resource. You can create scopes independently from the resource, that is: first create a scope, then assign the scope to a service you want to access. In reality, you should first create the service and then assign a scope to it.

After knowing the scope, log in to Keycloak and create a client scope. Later this scope will be assigned to a client. If the client authenticates then in Keycloak, the scope is assigned to it and the client can access the service.

Click on create

In the following form, enter the data for the OAuth scope:

  • Name: Scope for service. Here I used ZDEMO_CDS_SALESORDERITEM_CDS_0001, a scope for a CDS Service. Don’t worry, it’s just an example, Gateway does not work with OpenId Connect.
  • Description: SAP Gateway OData service
  • Protocol: openid-connect
  • Display on Consent Screen: off

Save

The OAuth scope is created. It can now be assigned to a client.

Note

When you change the scope of the service, you need to update the scope information here too.

Let the world know

Add OAuth 2.0 client in Keycloak

In this article I will show how to add an OAuth 2.0 client in Keycloak.

Log in to Keycloak and select a realm. In a new (empty) installation of Keycloak, the realm Master is selected by default. The realm name is important, as it is part of the URL used later for OAuth authentication.

To create a new OAuth 2.0 client, click on create.

Insert your information for the client. Make sure the openid-connect is selected as client protocol.

Client ID: oidclient
Client Protocol: openid-connect

Click on save and the client configuration screen is shown. Here you can add and alter additional information.

Important

  • Access Type: confidential. This will require the OAuth 2.0 client to send a client secret to authenticate itself.
  • Service Accounts Enabled: On

  • Valid Redirect URIs: set to a valid one, like /

All other parameters should work as given.

Switch to tab Credentials

Here you can see the OAuth 2.0 client secret. As in the settings tab the access type was set to confidential, the client must send its client id and secret to Keycloak to authenticate itself. The client id is the name of the client (oidclient), and here you can see the secret: 7bc40…

You can now add the OAuth 2.0 scopes to the client.

Let the world know

How to install HANA Express Edition on Proxmox

It is easy to install SAP HXE on Proxmox. It’s just 3 steps.

  1. Preparation
  2. Install HXE
  3. Additional configuration

Preparation

Before you can run HXE, first you have to download the files from SAP and configure a Proxmox VM for HXE and import the OVA image. I wrote a blog on how you can import an OVA image in Proxmox.

Install HXE

After importing the OVA image, you have a virtual machine with HXE. The image is only missing the installation of HXE. Start the VM.

  1. Select keyboard layout to use.

  1. Configure time zone.

  1. Login
Login: hxeadm
Passsord: HXEHana1

  1. Change password

After logging in, you will be asked to change your password.

  1. HXE Installation

After changing the password, HXE installation will be started automatically.

Provide HANA master password

Proxy configuration: y or n, depends on your network configuration.

Start XSA configuration.

Wait for XSA configuration to finish. This will block the console, but also allows you to check easily the current status of the installation.

Confirm values: Y

Installation starts. Grab coffee, a lot. More. Way more coffee.

When the installation successfully runs through, a congratulation message is written to shell.

To see the started services:

./HDB info

Additional configuration

Stop HXE

./HDB stop

Start HXE

./HDB start

Access

Note the IP address and assign an alias to it in the /etc/hosts file of your laptop to be able to access HXE with a FQDN.

Let the world know

Installing SAP Enterprise Designer in HXE

To be able to install EA Designer in HXE, you first need to copy the eadesigner.tgz file to your HXE server. SAP is not making the file available as a free available standalone download. You get the file with the HXE downloader.

First “problem” to solve is how to get the file on your HXE. In my case: a VM running on Proxmox.

If you have the eadesigner.tgz file on your laptop, and HXE server is in the same network as you are (e.g. WLAN), you can copy the file using scp. As an alternative, you can host the eadesigner.tgz file on an HTTP server and download it from there. For tomcat, copy the file eadesigner.tgz to the root directory and start tomcat.

Tomcat

Copy file to: webapps/ROOT
Start tomcat: ./bin/startup

HXE

Go to Downloads directory:

cd /usr/sap/HXE/home/Downloads

Download file from HXE:

curl http://192.168.0.1 /easdesigner.tgz –outfile eadesigner.tgz

Preparations

After having the file locally available in HXE you can start the installation procedure. Start with extracting the file content.

tar -xzvf eadesigner.tgz

Installation

Run installer

cd HANA_EXPRESS_20
./install_eadesigner.sh

Enter setup information

  • HANA Instance number
  • SYSTEM user password
  • XSA_ADMIN user password

Confirm to continue installation: Y.

Installation starts

When you see the command line again, EA Designer is (or should be) installed.

Post installation

Confirm status of EA Designer

xs apps

Look for the column state. The following 3 services must be started

  • eadesigner
  • eadesigner-backend
  • eadesigner-service

State STOPPED

The following service is only used during installation and can be in state stopped.

  • eadesigner-db

Access EA Designer

Note down the port of EA Designer.

https://hxehost:51028

Let the world know

Presentation SITMUC 2019

Event information

  • Location: SITMUC 2019, Munich, IBM Client Innovation Center Germany GmbH
  • Date: 19.10.2019
  • Site: Event website
  • Title: Multicloud or a look back from an architect
  • Presentation: PDF

Additional information

  • Fruit Checker App is not a productive app. It is a showcase with the intention to make people think about the possibilities: what can you do today, value that combination of services can bring, etc.
  • The idea for the architecture is to make sure that the underlying concepts is valid even when new implementations are started on top of it. The individual solutions have to fit in, without violating the general architectural concept. That is: a new house can be built, as long as it fits into Mannheim’s Quadrate idea. It may be small or large, but still fits a block and follows the number scheme.
  • Same for the transportation concept: as long as you follow the established protocols and paths, you will arrive as planned. To go from Karlsruhe to Mannheim, you can use car or train. Going by horse is possible, but not recommended. Same with systems: use HTTPS, REST, BAPI, Integration, etc, but don’t use something that is possible but makes no sense (communicate via FTP instead of SSH/SCP).
  • SAP CAPM is from SAP, and therefore it depends on SAP’s ideas what is possible and what not. Maybe on day the process will be open and less SAP driven, and then we may have a tool that is even better than Spring Data.
  • Some slides are not included for a simple reason: they only make sense in the context of a live talk.
Let the world know

Create an oData service from CDS

This blog is about how to create an oData service from a CDS View. The code and example follow closely SAP Help documentation and the included example on this topic:

I only cut the documentation overhead and make the information available in a single blog. As you can see in the above two links, the task consists of 2 steps:

  1. Create CDS View
  2. Expose OData service

For the example, I used NW ABAP 7.52 Developer Edition and ABAP in Eclipse (ADT) tools. If you have a “real” SAP NW ABAP System available, you may also implement the sample service there.

Create CDS Data Source

In ADT, create a new CDS Data Definition.

Name: ZDEMO_CDS_SalesOrderItem
Description: List Reporting for Sales Order Item

Click on next to go throught the wizard.

Paste the following code in the new created file: https://github.com/tobiashofmann/cds_sample_service/blob/master/ZDEMO_CDS_SalesOrderItem

@AbapCatalog.sqlViewName: 'ZDEMO_SOI_001'
@AbapCatalog.compiler.compareFilter: true
@AbapCatalog.preserveKey: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'List Reporting for Sales Order Item'
@OData.publish: true

define view ZDEMO_CDS_SalesOrderItem as select from SEPM_I_SalesOrderItem_E as Item {
  key Item.SalesOrder as SalesOrderID,
  key Item.SalesOrderItem as ItemPosition,
  Item._SalesOrder._Customer.CompanyName as CompanyName,
  Item.Product as Product,
  @Semantics.currencyCode: true
  Item.TransactionCurrency as CurrencyCode,
  @Semantics.amount.currencyCode: 'CurrencyCode'
  Item.GrossAmountInTransacCurrency as GrossAmount,
  @Semantics.amount.currencyCode: 'CurrencyCode'
  Item.NetAmountInTransactionCurrency as NetAmount,
  @Semantics.amount.currencyCode: 'CurrencyCode'
  Item.TaxAmountInTransactionCurrency as TaxAmount,
  Item.ProductAvailabilityStatus as ProductAvailabilityStatus
}

Save and activate the CDS View.

Activate OData Service

The above created a CDS Data Definition and when activating, some magic happened. What is missing is to activate the OData service. ADT won’t do this for you, this needs to be done manually in the Gateway System.

Tx: /n/IWFND/MAINT_SERVICE

Click on Add Service

Search for services in the local system.

System Alias: LOCAL
Technical Service Name: ZDEMO_CDS_SALESORDERITEM_CDS

Click on Get Services

The CDS Service is shown.

Select the service and click on Add selected Services

Add service dialog.

Package Assignment: $TMP (click on Local Object)

Test service

After performing the above steps, the CDS View is implemented and the OData service exposing the data is activate and can be used. You may now test the service to see if everything is working as expected.

Tx: /n/IWFND/MAINT_SERVICE
Select the service: ZDEMO_CDS_SALESORDERITEM_CDS

Click on SAP Gateway Client. To test the service, use the URL:

/sap/opu/odata/sap/ZDEMO_CDS_SALESORDERITEM_CDS/$metadata

Available entity sets can be seen by clicking on EntitySets.

Available options by clicking on Add URI Option

The see the top 2 results in json, the URL is:

/sap/opu/odata/sap/ZDEMO_CDS_SALESORDERITEM_CDS/ZDEMO_CDS_SalesOrderItem?$top=2&$format=json

Let the world know

Presentation SITMUC 2018

Event information

  • Location: SITMUC 2018, Einstein Kultur
  • Date: 13.10.2018
  • Site: Event website
  • Title: Creating apps with UI5
  • Presentation: PDF

Additional information

  • Make sure to select a language that supports the team, not just you.
  • App development is not just coding: that’s why the presentation is about creating apps. It’s a team effort.
  • Demo apps are mostly for myself and to make my life easier
  • Cognitive Leave Request was developed by BridgingIT in partnership with Microsoft. More information about the project: Tobias und Martin entwickeln. (Video in German)
  • Testing is important. Several tools from and for UI5 are available that can be used or other tools. Just use them if you can.

Let the world know