Connect to NetWeaver ABAP instance running inside Docker

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

This blog will help you to connect to your SAP NetWeaver ABAP instance running inside a Docker container. For how to get NetWeaver running inside a Docker container, please see my blog Docker for SAP NetWeaver ABAP 7.5x Developer Edition.

SAPGui

Open SAPGui and create a new connection.

Give a name for the connection and click on tab Advanced. I use NPL Docker. Activate expert mode and give the correct connection String. Check to which port the message server port is mapped to by Docker. Inside the container, the port is 3200, and in my case, the external port is 32771. Therefore, the connection String is:

Connection String: conn=/H/localhost/S/32771

Note: the port information is specified when you start the container. As an alternative, you can use Kitematic to see the port mapping.

Save and connect to NetWeaver.

The users and passwords can be found in the readme.html of the extracted SAP NW ABAP 751 download. Standard users are SAP* and Developer.

HTTP Access

You can test if access to your new SAP system is working via HTTP by calling the ping service: http://localhost:32769/sap/public/ping

For this to work, first activate the ping service in SICF.

When you get the response “Server reached.” you can start using the HTTP access.

SAP WebGui

For general WebGui activation, you can see my previous blog “Activation of SAP WebGui”. Here is a short version of this guide. As in the previous HTTP service access, the same procedure must be followed to have access to NPL via WebGui.

Activate the service webgui

To activate the SAP WebGui service, activate the node:

/sap/bc/gui/sap/its/webgui

Activation of public resources

You also need to activate the public service that contains the HTML files (JS, etc):

/sap/public/bc/its

Note

It is not sufficient to only activate the webgui node. The app is using additional resources that are available under /sap/public/bc/its. If this node is not activated, you’ll get an error message when logging in to webgui.

Therefore, for SAP WebGui to load the node /sap/public/bc/its must be activated too.

Activate the node its and its subnodes. Select Activate Service.

Activate with all sub nodes nodes (second Yes).

Result

After activating these two nodes, access to WebGui should work. To test this, call the URL http://localhost:32769/sap/bc/gui/sap/its/webgui After logging in, you should see the SAP Menu.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Install your own SAP NetWeaver ABAP system

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Below is a list of links to blogs I wrote and I hope can help you when you install your own SAP NetWeaver ABAP system. The documentation is the by-product while I installed my demo/test system.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Activation of SAP WebGui

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

To be able to benefit from SAP WebGui, you have to execute some initial configuration steps. These steps ensure that the services and the ICF nodes are correctly configured and mime files like JS, CSS, images are available and accessible by WebGui. More information about the necessary ICF configuration steps for WebGui can be found at SAP Help.

The services listed there for WebGui are:

  • /default_host/sap/public/bc/its/mimes
  • /default_host/sap/bc/gui/sap/its/

The URL to access SAP WebGui is: http(s)://<server>:<port>/sap/bc/gui/sap/its/webgui

For some reason the above linked SAP Help page is not listing all ICF nodes and steps needed to execute successfully WebGui. Especially when you have to set up a fresh installed NetWeaver system, several additional steps have to be executed to be able to use WebGui. In total, the steps involved in having a working WebGui are:

  • Base ICF nodes
  • Icons
  • Mime
  • Webgui
  • Publish services

Pre-requisites

The base ICF nodes must have been activated before.

Activate ICONS

  • Tx: SICF
  • Virtual host: DEFAULT_HOST
  • Service Patch: /sap/public/bc/icons

Filter

Activate

Activate MIMES

  • Tx: SICF
  • Virtual host: DEFAULT_HOST
  • Service Patch: /sap/public/bc/its/mime

Filter

Service

Activate Service

Yes

Activate WebGui

  • Tx: SICF
  • Virtual host: DEFAULT_HOST
  • Service Patch: /sap/bc/gui/sap/its/webgui

Filter

Service

Activate Service webgui

Publish services

The ICF nodes are activated, but that does not mean they are also executable in a fresh installed NetWeaver ABAP system. This is caused by that services are not automatically published to ITS after a system is newly installed. You have to do this manually. See
SAP Note 790727
for more on this. Luckily, SAP delivers a transaction that publishes all ITS services: SIAC_PUBLISH_ALL_INT

  • Tx: SIAC_PUBLISH_ALL_INTERNAL

Run it, nothing else to than to wait until the report finishes. You will get an overview presented.

Too much information? No worry, the most important part is the summary of number of messages in each category.

411 times no problems reported!

Test service

http://nw75.tobias.de:8000/sap/bc/gui/sap/its/webgui

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Initial setup of SAP NetWeaver ABAP ICM for HTTP

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

SAPGui is just one way to access an SAP system. A more and more common way to interact and work with SAP is through a browser. As with all web sites, a web server must handle the browser requests. For SAP NetWeaver ABAP, the web server is ICM. ICM is integrated with NW ABAP, no need to install it as an additional package. The only task to be execute by BASIS is to configure ICM. First step is to validate that ICM is working and no errors are occurring. For a browser to be able to access NW ABAP through HTTP, ICM must be up and running and listening on a HTTP port. Without this port, no communication from a browser to NW ABAP is possible. To see the configured HTTP port of ICM, you can either look at the profile parameter or use SMICM to see the service information.

Check ICM HTTP Port configuration

  • Tx: SMICM

Goto -> Services

This shows the active services handled by ICM. As you can see, HTTP is just one of several possible services. SMTP is available, as can be telnet too! For each service you can see additional information like host name, and port. Port is given a 0. Check the ICM parameters to find out why. Also, take a look at SAP Help about this.

“Default Values AS ABAP

icm/server_port_0 = PROT=HTTP , PORT=0 , TIMEOUT=30 , PROCTIMEOUT=60

Outbound connections across HTTP and SMTP are possible with default values, but no ports for inbound connections are open.”

Configure ICM HTTP Port

Security first. That`s how SAP rolls. To allow someone accessing your SAP ABAP system via HTTP, you must explicitly activate this. Gives you also a hint if or if not SAP sees HTTP based access in ABAP as an equal citizen compared to SAPGui. To see the (default) parameter used by ICM, select:

Goto -> Parameters -> Display.

This will show you the parameters used by ICM. The ICM server parameters are given by icm/server_port_X.

Default parameter for HTTP is icm/server_port_0. Value for port is PORT=0. 0 meaning no incoming communication possible. A browser won`t be able to connect to NW ABAP. You have two options to change this: temporarily or permanent.

Change the HTTP port temporarily

  • Tx: SMICM

Goto -> Services

Select the service: Service -> Change.

In the dialog, enter the new parameters. For port, you can use 8080. Confirm the data to start the service.

This _should_ start the HTTP service using the informed port. In my case – obviously – this did not work.

Change the HTTP port permanently

As the above solution is only a temporary workaround, the error message can be ignored (well, not sure if it is an error message, looks green, OK, and so). To change the profile parameter of ICM, RZ10 is used. This makes the HTTP port change permanent.

  • Tx: RZ10
  • Profile: Default
  • Type: extended maintenance

Select create parameter

Values

  • icm/server_port_0
  • PROT=HTTP,PORT=80$$

Copy the parameter

The comment line changes and includes a change value. Also shows who did the change (blame).

Back at the parameter list, you can now see that the added parameter is listed.

Save the changes to the profile file.

Select yes to activate the new profile.

Confirmation that everything worked.

Note that you`ll have to restart your NW ABAP server to take effect.

Restart NW ABAP.

Test ICM HTTP Port

Did it work? How to test it? Easy: take a look at ICM service and access a service using a web browser. First, let`s see if ICM is listening on port 80$$ (btw: $$ is the ID).

SMICM

  • Tx: SMICM
  • Path: Goto -> Services

  • ICM is listening on port 8000 for HTTP connections!

SICF

Very easy to test. Just access a ICF node using your web browser.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Enable certificate based logon – 3 Activate client certificate verification on NetWeaver ABAP

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

For the NetWeaver ABAP system to be able to accept the certificate based logon from Web Dispatcher, it must be configured to accept the certificate of the WD system as a client certificate. SAP Help

Transaction: RZ10

Instance profile

It is necessary to maintain 2 profile parameters:

  • icm/HTTPS/trust_client_with_issuer
  • icm/HTTPS/trust_client_with_subject

These two parameters are needed to let NW ABAP identifiy which client certificate to trust. They define the DN of the client and the DN of the CA that issued the certificate. Even when someone sends a certificate with the same DN as of WD, but signed by a different CA, it won`t be accepted by NW ABAP. This helps to increase the level of security.

To add both, you have to select Change and then Add new parameter

Parameter name: icm/HTTPS/trust_client_with_issuer

The value of the parameter is taken from the Issuer line of the client PSE of the WD.

Parameter name icm/HTTPS/trust_client_with_subject

The value of the parameter is taken from the Subject line of the client PSE of the WD.

The example screenshots show CN=WDP, OU=SSL Client. These are the standard values of the self-signed certificate of WD client PSE. In case you do not have a CA available, self-signed certificates like the above can be used too.

Result

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Bind ICM to port 443

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

To run SAP Portal on the standard web ports 80 and 443 you should use Web Dispatcher. In that case, WD runs on the privileged ports and SAP Portal / NetWeaver Java / ICM continue to run on their usual 5nnXX ports. Changing the ports directly on ICM of NetWeaver is something I cannot recommend, and you should not do it.

Configuration of ICM

To run NetWeaver on low ports, follow the procedure outlined in SAP Note 421359. ICMBND is the executable that will run at port 443. This file does not exists. To create it, follow the steps outlined in the SAP Note as user root:

  • cd /usr/sap/<SID>/J00/exe
  • cp icmbnd.new icmbnd
  • chown root:sapsys icmbnd
  • chmod 4750 icmbnd
  • ls –al icmbnd

The super user bit is now set. With this, the executable can now “act” as being root and listen on port 443. The instance profile must now be changed to include the new ICM parameters to bind to port 443 for HTTPS and to use the external program icmbnd for doing that.

Currently the port configuration may look like this:

After the change

Note: The parameter exe/icmbnd should not be needed as long as the binary resides in the normal place. I added it here to show how the parameter looks when configured.

Restart SAP system: stopsap; startsap.

Result

NetWeaver is now listening on port 443.

 

Default configuration is that NetWeaver first asks the client to provide a certificate and if none is given, proceeds with the normal authentication defined in logon profile.

This can be disabled be setting the parameter VCLIENT=0 in the instance profile:

icm/server_port_4=HTTPS,PORT=443,SSLCONFIG=ssl_config_4,EXTBIND=1,VCLIENT=0

Links

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn