SAP NetWeaver comes with its own solution to prevent clickjacking for its most relevant UI frameworks. For more information about this protection, see the corresponding SAP Notes.
Check if clickjacking protection service is enabled or disabled. It is disabled, if no record with ENTRY_TYPE=30 is in the table, or if the table is empty.
Table name: HTTP_WHITELIST
Execute
Result
By default, no values are in the table and the service is not enabled. For data that needs to be inserted into table HTTP_WHITELIST, see SAP Note 2142551. Creating an entry type with vale 30 activates the whitelist.
Transaction: SE16
Select F5 or click on the new entry icon.
Insert data. See links below for additional information on possible values.
Click save to persist the entry in the table.
Afterwards, the table will contain one record. As the record has value 30 for column ENTRY_TYPE, the clickjacking protection service is enabled.
Activate ICF whitelist service
Adding a record activates the service, but to make apps working, additional configuration steps must be taken. For instance, accessing now a WDA app (e.g. SAML2) will resolve in a HTTP 500 internal server error. This is caused by having the clickjacking protection activated, but not the whitelist service.
To solve the HTTP 500 error, you need to activate the ICF whitelist service.
Transaction SICF_INST
Technical name: UICS_BASIC
Execute. This will activate the ICF node
/sap/public/bc/uics/whitelist
Result
After enabling the service and the ICF node, the above WDA app will open in the browser.
Old habits are not easily dying and replaced by best practices and general recommendations. In the early days, when UI5 started to gain traction, people discovered it, tried it out, wrote apps, made them somehow work. Everybody was learning, and things we can do today were not possible or known then. Changes to the documentation, API and recommendations are simply the result of lessons learned.
As UI5 apps are based around a model, its data, representation and manipulation, a lot of questions around UI5 development are about the model: how to access data, change, update or delete it. A good thing of UI5 is that it is following semantic versioning, and code written for UI5 1.1x or 1.2x will still work with latest versions like 1.5x. It doesn’t mean that you, as a developer, should simply copy & paste example code found somewhere.
Example
After loading the model, be it JSON or OData, you may have to access a specific property in you code. What you can find in the Internet is code like:
oData
var oData = this.getView().getModel().oData;
var firstname oModel.getModel().oData[entity].firstname;
var name = oData[entity].name;
JSON
var oData = this.getView().getModel(“device”).oData;
var osname = oModel.oData.os.name;
var osname = this.getView().getModel().getData().os.name;
First line will give you the model data object, 2nd and 3rd line the property osname of the model. The 3rd line is partly correct, as the access to the data is done through a method, but access to property name is done directly. You can work with the data object now directly, but you shouldn’t. What you want is not to work with the raw data that defines your model, but with properties.
Use access methods
Data binding is important when developing an UI5 app. You update properties, and you want to have the UI elements automatically be updated too. When accessing the properties directly, you have to check if the change is correctly propagated. Using access methods, UI5 will for sure take care of this. The method to access properties of your data model are getData, getProperty or getObject. Applying this to above code:
JSON
var oData = this.getView().getModel().getData();
var osname = this.getView().getModel(“device”).getProperty(“/os/name”);
OData
var entity = this.getView().getModel().getObject("/"+key);
var property = this.getView().getModel().getProperty("/"+key+"/Depth");
This is now only using the methods to access data. To alter the property, use the setProperty method.
The above examples may not be perfect. They show that UI5 offers methods to access model data. Using these methods your code will continue to work in the future and is guaranteed to work in future releases of UI5. Direct access to the model data is done at your own risk. In case you work on a UI5 app, use the access methods. If you work on an older app that uses direct access to the model, try to refactor the app. The change from oModel.oData to oModel.getData() is as simple as executing a find and replace.
Connectivity between SAP Cloud Platform and an on premise SAP NetWeaver system is normally achieved via SAP Cloud Connector. A nice feature depending on this is the remote connection of SAP Web IDE to an on premise ABAP system. The feature allows to easily load apps from the ABAP system and change or extend them from everywhere.
For this feature to work, some ICF services must be active on the ABAP system and remote access enabled on SCC. If not, Web IDE cannot “talk” to NW ABAP. Some possible errors and solutions regarding the setup are shown in this blog.
Scenario
A NetWeaver ABAP system with Fiori apps is available and the SAP Cloud Connector is configured to expose the system to SAP Cloud. I am using the SAP NetWeaver ABAP 7.51 Developer Edition for the scenario.
In the destination section of SCP, the SCC is shown as connected and the destination NPL is configured and working. A connection tests gives back a successful message: SCP <–> SCC <–> NW works.
Problem
A developer tries to extend a Fiori app. In Web IDE, the project wizard for an extension project is used.
After selecting the on premise system destination, an error message is displayed. The actual error message can differ. Sometimes you see an informative error message or just some red text or maybe nothing.
Error messages
In all cases, you can check the log of SCC and see a detailed information on the error.
The error message is:
Access denied to /sap/bc/adt/discovery for virtual host npl:443
Solution
The ICF service /sap/bc/adt/discovery is not accessible. This can be because the user does not have the right permissions, or the service is not active in the NW system, or SCC is not exposing the service.
Alternative A: SCC not exposing service
Adding a service in SCC will only expose the exact path, not the sub path. Either you add all paths exactly in the resource list, or change the access policy to accept sub-paths too.
Root cause: Path only, excluding sub-paths.
Solution: Change this to will allow Web IDE to access the resource.
Alternative B: ICF service not active
In the NW ABAP system, got to transaction SICF and check node /sap/bc/adt. This node must be activated. By default, this node is deactivated and must be activated by Basis.
Root cause: Service deactivated
Solution: Activate node adt. Right click and select Activate Service.
Alternative C: Missing authorization
Check with SU53 and SAP Help what is missing and assign the right permissions to your user.
Result
After applying the correct solution, the developer can use the extension project wizard in SAP Web IDE to load available applications.
When running a CI job you may need to use some SAP tools. For instance, the MTA builder or Neo tools. Many CI servers include integration to build tools or plugins are provided by the community or vender. Jenkins offers plugins for Maven, Ant or Node that let you easily integrate these into a CI jobs. If you have a CI job for SAP, it is your task to make the necessary tools available. There are not many plugins for SAP available for Jenkins.
Some tools you may need can be found on SAP’s tool site. For instance, the MTA builder. A simple JAR file that is available for download and needed in case you are working with MTA apps.
Before you can download the JAR file, you need to agree to the EUL.
This means that you cannot download the JAR using cli:
Running the above wget command will not download the tool, but a web site. Some may know that this is very close to how Oracle protected it’s Java download. And the “solution” here is the same: send the right cookie via wget.
I have a git repository on SCP that I want to clone using git on my laptop. I thought this should be easy to do. The source code of my project is available in the git repo at SCP. Cloning the repo using git clone from this URL should work.
The clone fails with “service not enabled.” Looking at SAP’s documentation, this should not have happened. Here SAP Cloud Platform documentation for the git service differs from reality.
I did a), and b) did not apply, as I wasn’t asked for my SCN user ID nor password. SAP’s git troubleshooting guide contains a section about the error message. Good to know that there is a possible solution, but I already did already what the proposed solution to the error is:
„Ensure that you have the correct repository URL. Copy it from the Source Location section of the repository’s details page in the SAP Cloud Platform cockpit.“
As it is possible to access the repository in SAP Web IDE, it should also be possible to access it from outside SCP. I know that the git repository is protected. Maybe the requests from git cli is blocked by SCP? After all, I was not asked to authenticate. Maybe I can force SCP to ask me for my password? Changing the URL to include my SCN user ID did just that: I was asked to provide my password.
SCP is now asking for my password and – magic happening – the git service is now accessible and the repo can be cloned. Would be nice if the git service would ask me to authenticate instead of failing directly.
When you first start Docker, the size of this image is around 1.4GB. Adding containers, image, etc and it will grow to 64GB.
The 64GB default size can be seen when using qemu-img info:
qemu-img info ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/Docker.qcow2
When this limit is reached, Docker should automatically increase the size of the image, but this isn’t working always. As a result, when the image is at 64 GB, you can get an error message stating that the device is full:
no space left on device
At least with my Dockerfile for SAP NetWeaver ABAP Developer Edition Docker is not increasing the image file dynamically. Because of this I had to split the automatic installation process in two parts: base image setup and installation. I guess that right now the SAP Installation is filling up space faster than Docker can react.
The Docker.qcow2 file is a VM disk. Therefore, it is possible to manipulate it like any other virtual disk: you can increase the disk size and access files within the VM disk when you mount the image in a VM. An easy solution to change the disk size Docker has available to store images and containers is to increase the disk size. This can be done by using Qemu and GParted.
Preparations
Locate qcow2 on your Computer
Click on open in finder. Finder opens at the specified location.
Starting the virtual machine will take some time. Be patient. Next you’ll have to configure the GParted ISO image.
The default values should be enough. This gives you a keyboard, mouse, English and X. After that, Gparted is started and you should see the Docker.qcow2 disk in the Gparted app.
Select the disk and click on Resize / Move. In the new size (MiB) field, enter the new size of the disk you need. The disk size is allocated dynamically and won’t occupy immediately space on your physical disk. So don’t be shy. Assign all free space to the partition.
Click on Resize/Move and on the Apply button
Last chance to stop. But as you need the new free space for Docker, click again on Apply.
The partition will be resized. In case something goes wrong, please restore the backup of the Docker.qcow2 file you made previously.
After the operation finishes, you can see that the partition is now offering 164GB.
Shutdown the VM. As the Docker.cqow2 file changed was the original one used by Docker, you have only to restart Docker to benefit from the new image size. Now you can use Docker to run SAP NetWeaver ABAP with just one command. As the Docker.qcow2 file is empty, even when the image size is reported as 4 GB, compressed (zipped) it’s just a few MB.
With the new Docker disk file you can even start SAP NetWeaver ABAP without getting the “no space left on device” message.
Image creation works. The space occupied by just the SAP NetWeaver ABAP image is already at 65 GB.
Start a container
docker run -P -h vhcalnplci --name nwabap751 -it nwabap:latest /bin/bash
In Kitematic
Start UUIDD
/usr/sbin/uuidd
Change to user npladm
su - npladm
startsap
Problem with starting SAP
When you log in to your container and run startsap, the program will fail. It will report that no instance profiles were found.
startsap
Take a look at the available profiles.
ls -1 /sapmnt/NPL/profile/
During the installation, the installation script installed the profile files for the container with the dummy name 4f65[…], after starting the container, we specified a specific host name: vhcalnplci. Of course, these do not match and make sapstart fail.
Let’s adjust the instance profile configuration.
Rename files
Substitute references to old hostname to correct one vhcalnplci
UUID is a good old problem when it comes to running SAP NetWeaver on Linux / SuSE. You have a problem when you log in to your SAP system and get an error message. The error message shows the root cause and solution: “The UUID daemon (uuidd) is not active (code 59999). Check SAP note 1391070.”
Solution
SAP NetWeaver isn’t meant to run in Docker. When the software was designed, Docker or event containerization wasn’t around (maybe SUN). NetWeaver assumes that it is executed inside a real Linux. And the Docker version of OpenSuSE isn’t 100% a real Linux. A lot of services you get “automatically” when installing OpenSuSE are not available. One of those is that the init.d system is not starting services. Because of this, there is no UUID daemon running.
Make sure that the UUIDD service is running. For a normal Linux distribution, I blogged about this at a previous blog of mine. In case you are using Docker with OpenSuSE, make sure that uuidd is installed and executed during the image creation:
Installation
RUN zypper --non-interactive install --replacefiles uuidd
Execution
RUN mkdir /run/uuidd && chown uuidd /var/run/uuidd && /usr/sbin/uuidd
Result
With the UUIDD running, the logon to SAP NetWEeaver ABAP is working. No restart of NetWeaver is needed.
Give a name for the connection and click on tab Advanced. I use NPL Docker. Activate expert mode and give the correct connection String. Check to which port the message server port is mapped to by Docker. Inside the container, the port is 3200, and in my case, the external port is 32771. Therefore, the connection String is:
Connection String: conn=/H/localhost/S/32771
Note: the port information is specified when you start the container. As an alternative, you can use Kitematic to see the port mapping.
Save and connect to NetWeaver.
The users and passwords can be found in the readme.html of the extracted SAP NW ABAP 751 download. Standard users are SAP* and Developer.
For this to work, first activate the ping service in SICF.
When you get the response “Server reached.” you can start using the HTTP access.
SAP WebGui
For general WebGui activation, you can see my previous blog “Activation of SAP WebGui”. Here is a short version of this guide. As in the previous HTTP service access, the same procedure must be followed to have access to NPL via WebGui.
Activate the service webgui
To activate the SAP WebGui service, activate the node:
/sap/bc/gui/sap/its/webgui
Activation of public resources
You also need to activate the public service that contains the HTML files (JS, etc):
/sap/public/bc/its
Note
It is not sufficient to only activate the webgui node. The app is using additional resources that are available under /sap/public/bc/its. If this node is not activated, you’ll get an error message when logging in to webgui.
Therefore, for SAP WebGui to load the node /sap/public/bc/its must be activated too.
Activate the node its and its subnodes. Select Activate Service.
The difference is that in Gregor’s version you download the NW ABAP installation files and when the container is build, you go manually through the installation. My Dockerfile assumes that you have downloaded the NW 7.51 ABAP installation files already and will automate the installation. Once you have downloaded the installation files from SAP you can make them locally available and create new Docker images / containers based on these, without having to download almost 16 GB again. And the installation script will run without prompting for user input.
Another differentiation is that you can “easily” change the Dockerfile to install NetWeaver 7.50 of the developer edition.
Pre-requisites
To be able to run the Dockerfile, you need
Docker installed
Downloaded and extracted installation files of SAP NW ABAP Developer Edition
Internet connection
Installation
1 Get the Dockerfile
From my GitHub repository, you can find a Dockerfile that helps you to create a Docker image and container that will install your downloaded NetWeaver version. All you need is the Dockerfile, so a simple download is sufficient. You can also download the file by cloning the GitHub repository: https://github.com/tobiashofmann/sap-nw-abap-docker
Un-compress them into a folder named NW751. The folder must be at the same location where your Dockerfile is.
Build the Docker image
Build the Docker image
Command:
docker build -t nwabap .
Sample output
After the build is finished, the last line you should see is
Successfully tagged nwabap:latest
To see the ID and name of the newly created image, run the following command:
docker images
Sample output
The command lists the ID, tag and size of the image. As you can see, it’s a 15 GB Docker image. Using this image, you can start a container and install NW ABAP 7.51 DE inside the container.
Create container from image
You can now create a container from the image. You’ll have to connect to the container and run the installation script run.sh. The file was created during docker build. It will run SAP’s install.sh and fill in the input automatically.
docker run -P -h vhcalnplci --name nwabap751 -it nwabap:latest /bin/bash
This will start the container and log you in. What you’ll get is the bash shell.
bash-4.3#
In case you have Kitematic installed, you can see the running container listed.
The container configuration for the ports is also visible there. The ports are automatically mapped by Docker. The message server port 3200 is accessible through localhost:32771, and the HTTP port 8000 through localhost:32769. This mapping can be changed either inside Kitematic or when the container is started on the command shell.
Run ls to see the content of the current directory. You can see the install.sh file from SAP (feel free to start the installation manually) and the run.sh script that will automate the installation.
Start installation
Run the script run.sh to install SAP NetWeaver ABAP 7.51. The script will enter all information requested by install.sh automatically. The installation will take some time, +/- 20 minutes.
./run.sh
Sample output
[…]
[…]
The installation worked when the script ends and you can see the output:
SAP Web Dispatcher is an important component in a SAP landscape. While have been treated as optional for many years and found mainly in SAP Portal scenarios, with the increase adoption of Fiori, having a reverse proxy in the landscape is becoming pre-requisite. While it’s possible to choose from a wide range of alternatives of servers for a reverse proxy, SAP`s Web Dispatcher is normally always the best fit in a SAP landscape. A question that sometimes arises is how to install Web Dispatcher.
First you settle on what version of Web Dispatcher (WD) to install. SAP Note 908097 states that you should go for the latest version. “Version 7.49 is the recommended SAP Web Dispatcher version for all backend systems.”
The actual installation gives you two options:
easy and
recommended.
The easy alternative is to simply un-sapcar the WD SAR file downloaded from Service Marketplace into a directory. To run WD, it`s then just to bootstrap it or run it with a given profile file. This installation method gives you a up and running WD in just one minute. The problem is that the files are all in one directory and not in the “official” directory structure of a normal SAP installation. But you get something like a portable WD installation: zip the directory and you can copy it to another server and can run WD from there.
The recommended alternative ensures that the WD is installed like a normal SAP product: all files follow the normal directory structure, etc. Installation is done using SWPM. Important when you are going to do some advanced configuration like PSE encryption, CryptoLib installation, etc. I`ll try to show how to install SAP Web Dispatcher the recommended way.
Download software
Download the needed software. It`s SWPM, Web Dispatcher, SAPCAR and HOSTAGENT.
SWPM
SAP Web Dispatcher 7.49 PL 112
SAPCAR 7.21
SAP Host Agent 7.21
Result
After you have downloaded all software, you have four files, summing up to almost 900 MB.
In a Unix environment, your WD system won`t have a graphical user interface and access to the system is given by SSH. This kind of environment can perfectly be emulated using Docker. Note: the SAR files need to be copied over to the target host.
Docker
There are several Linux images available for Docker. Let`s use Debian for this.
After running the Docker image, you have the files on the Linux system up and running, the Web Dispatcher and sapinst files available. Web Dispatcher is not yet installed. This is done by using sapinst. To run the installation, you`ll have to connect to sapinst using a different computer (most cases: your laptop). Let`s call the Docker container the target, and your computer the client.
Logon
I use Kitematic and to log on to my docker container, I just click on the EXEC button.
Logon to Docker container:
The log on from shell, the command is something like this:
To work properly, sapinst must be started as root. You then connect to it and log on. The logon is done by default with the user id running sapinst. Problem is that with the Docker images you do not know the root password. Same for environments where root access is only provided to a few or via sudo. You need to enable sapinst to run as root, but allow a different user (like <sid>adm) to log on. You achieve this by providing a parameter to sapinst informing the OS user allowed to log on remotely. The process is then:
Run sapinst as root (or sudo)
Connect to it informing a OS user (wddadm)
Sapinst Parameters
The needed parameter can be retrieved by letting sapinst show all available parameters. More information available in SAP Note 1745524 and at SAPinst central note.
./sapinst –p
Run sapinst in Docker
Provide the <sid>adm user as a property to sapinst.
Start sapinstgui and connect to the target server on port 21212.
./sapinstgui
Inform the host name or IP address. In my case, it is 192.168.0.16. The port is the default sapinst port 21212.
Accept the fingerprint. You can check the fingerprint with the one printed by sapinst on the target server to be extra sure you are connecting to the right server.
Authenticate. You`ll need to provide the user id and password of the user running sapinst on the target host. In my case, the user is wddadm with password whatever. This is defined in the Dockerfile when the user is created.
sapinst output in Docker:
Logon on using wddadm / whatever
After a successful logon, sapinst will start. Current setup is not supported by SAP. For a production case this is a no-go, for my personal use case this is totally acceptable.
Sapinst shows the list of installable software options available. Web Dispatcher can be found at the end of the list.
Selecting SAP Web Dispatcher will start the installation.
Inform the path on the target server where the SAR files for SAP Web Dispatcher and SAP Host Agent can be found.
The files were copied into the container during the execution of the Dockerfile. All files are located at /home/wddadm.
If all packages are found, validated and added as considered valid for the installation.
Debian in Docker for sure won`t pass all the pre-requirements check build into SWMP. You`ll get a warning message, but SWMP won`t stop the installation. Select No. Seems that inside Docker, checking for the available free space is not working correctly.
Web Dispatcher configuration
Bootstrapping
Don’t worry, the system must not be accessible, yet exist. It’s just informing the bootstrap parameters. In my case, I am using a system that is not available, and it worked. Just be aware that in case the backend system changes, or isn’t even a ABAP system, like SMP3, you need to configure the Web Dispatcher profile manually.
Confirmation
Installation
The last step is to start Web Dispatcher. You can follow this on the console log of sapinst on the target server
If all worked, you get a confirmation message and the installation finishes.
SAPinst on the client host ends and so does it on the target host.
Validate installation
This gives you the time to validate the installation and check if all files are correctly installed.
Users
A new user sapadm was created
Folders
Web Dispatcher is installed under /sapmnt and instance is found in folder /usr/sap
This is perfectly aligned with the default locations of a SAP instance, and way better than simply putting all files into the same folder when unzipping the SAR. Especially when you consider that you may have to open a CSS ticket to SAP in your production environment or have new consultants arriving that expect the files to be located at the default location.
SAP Host Agent
The host agent was started and is running.
Start and stop Web Dispatcher
Starting and stopping Web Dispatcher via stopsap and startsap is working
stopsap
startsap
Admin web interface
The admin port of Web Dispatcher is listening by default on port 44300.
I use cookies to ensure that I can give you the best experience on my personal website. If you continue to use this site I will assume that you are happy with it.Ok
