To be able to benefit from SAP WebGui, you have to execute some initial configuration steps. These steps ensure that the services and the ICF nodes are correctly configured and mime files like JS, CSS, images are available and accessible by WebGui. More information about the necessary ICF configuration steps for WebGui can be found at SAP Help.
The services listed there for WebGui are:
The URL to access SAP WebGui is: http(s)://<server>:<port>/sap/bc/gui/sap/its/webgui
For some reason the above linked SAP Help page is not listing all ICF nodes and steps needed to execute successfully WebGui. Especially when you have to set up a fresh installed NetWeaver system, several additional steps have to be executed to be able to use WebGui. In total, the steps involved in having a working WebGui are:
Base ICF nodes
The base ICF nodes must have been activated before.
Virtual host: DEFAULT_HOST
Service Patch: /sap/public/bc/icons
Virtual host: DEFAULT_HOST
Service Patch: /sap/public/bc/its/mime
Virtual host: DEFAULT_HOST
Service Patch: /sap/bc/gui/sap/its/webgui
Activate Service webgui
The ICF nodes are activated, but that does not mean they are also executable in a fresh installed NetWeaver ABAP system. This is caused by that services are not automatically published to ITS after a system is newly installed. You have to do this manually. See SAP Note 790727 for more on this. Luckily, SAP delivers a transaction that publishes all ITS services: SIAC_PUBLISH_ALL_INT
Run it, nothing else to than to wait until the report finishes. You will get an overview presented.
Too much information? No worry, the most important part is the summary of number of messages in each category.
SAPGui is just one way to access an SAP system. A more and more common way to interact and work with SAP is through a browser. As with all web sites, a web server must handle the browser requests. For SAP NetWeaver ABAP, the web server is ICM. ICM is integrated with NW ABAP, no need to install it as an additional package. The only task to be execute by BASIS is to configure ICM. First step is to validate that ICM is working and no errors are occurring. For a browser to be able to access NW ABAP through HTTP, ICM must be up and running and listening on a HTTP port. Without this port, no communication from a browser to NW ABAP is possible. To see the configured HTTP port of ICM, you can either look at the profile parameter or use SMICM to see the service information.
Check ICM HTTP Port configuration
Goto -> Services
This shows the active services handled by ICM. As you can see, HTTP is just one of several possible services. SMTP is available, as can be telnet too! For each service you can see additional information like host name, and port. Port is given a 0. Check the ICM parameters to find out why. Also, take a look at SAP Help about this.
Outbound connections across HTTP and SMTP are possible with default values, but no ports for inbound connections are open.”
Configure ICM HTTP Port
Security first. That`s how SAP rolls. To allow someone accessing your SAP ABAP system via HTTP, you must explicitly activate this. Gives you also a hint if or if not SAP sees HTTP based access in ABAP as an equal citizen compared to SAPGui. To see the (default) parameter used by ICM, select:
Goto -> Parameters -> Display.
This will show you the parameters used by ICM. The ICM server parameters are given by icm/server_port_X.
Default parameter for HTTP is icm/server_port_0. Value for port is PORT=0. 0 meaning no incoming communication possible. A browser won`t be able to connect to NW ABAP. You have two options to change this: temporarily or permanent.
Change the HTTP port temporarily
Goto -> Services
Select the service: Service -> Change.
In the dialog, enter the new parameters. For port, you can use 8080. Confirm the data to start the service.
This _should_ start the HTTP service using the informed port. In my case – obviously – this did not work.
Change the HTTP port permanently
As the above solution is only a temporary workaround, the error message can be ignored (well, not sure if it is an error message, looks green, OK, and so). To change the profile parameter of ICM, RZ10 is used. This makes the HTTP port change permanent.
Type: extended maintenance
Select create parameter
Copy the parameter
The comment line changes and includes a change value. Also shows who did the change (blame).
Back at the parameter list, you can now see that the added parameter is listed.
Save the changes to the profile file.
Select yes to activate the new profile.
Confirmation that everything worked.
Note that you`ll have to restart your NW ABAP server to take effect.
Restart NW ABAP.
Test ICM HTTP Port
Did it work? How to test it? Easy: take a look at ICM service and access a service using a web browser. First, let`s see if ICM is listening on port 80$$ (btw: $$ is the ID).
Path: Goto -> Services
ICM is listening on port 8000 for HTTP connections!
Very easy to test. Just access a ICF node using your web browser.
Node: you do not need to access a working web app, just a single node to see if or not ICM responses. You can use icman to test, although you should not get a valid response.
For the NetWeaver ABAP system to be able to accept the certificate based logon from Web Dispatcher, it must be configured to accept the certificate of the WD system as a client certificate. SAP Help
It is necessary to maintain 2 profile parameters:
These two parameters are needed to let NW ABAP identifiy which client certificate to trust. They define the DN of the client and the DN of the CA that issued the certificate. Even when someone sends a certificate with the same DN as of WD, but signed by a different CA, it won`t be accepted by NW ABAP. This helps to increase the level of security.
To add both, you have to select Change and then Add new parameter
The value of the parameter is taken from the Issuer line of the client PSE of the WD.
Parameter name icm/HTTPS/trust_client_with_subject
The value of the parameter is taken from the Subject line of the client PSE of the WD.
The example screenshots show CN=WDP, OU=SSL Client. These are the standard values of the self-signed certificate of WD client PSE. In case you do not have a CA available, self-signed certificates like the above can be used too.
To run SAP Portal on the standard web ports 80 and 443 you should use Web Dispatcher. In that case, WD runs on the privileged ports and SAP Portal / NetWeaver Java / ICM continue to run on their usual 5nnXX ports. Changing the ports directly on ICM of NetWeaver is something I cannot recommend, and you should not do it.
Configuration of ICM
To run NetWeaver on low ports, follow the procedure outlined in SAP Note 421359. ICMBND is the executable that will run at port 443. This file does not exists. To create it, follow the steps outlined in the SAP Note as user root:
cp icmbnd.new icmbnd
chown root:sapsys icmbnd
chmod 4750 icmbnd
ls –al icmbnd
The super user bit is now set. With this, the executable can now “act” as being root and listen on port 443. The instance profile must now be changed to include the new ICM parameters to bind to port 443 for HTTPS and to use the external program icmbnd for doing that.
Currently the port configuration may look like this:
After the change
Note: The parameter exe/icmbnd should not be needed as long as the binary resides in the normal place. I added it here to show how the parameter looks when configured.
Restart SAP system: stopsap; startsap.
NetWeaver is now listening on port 443.
Default configuration is that NetWeaver first asks the client to provide a certificate and if none is given, proceeds with the normal authentication defined in logon profile.
This can be disabled be setting the parameter VCLIENT=0 in the instance profile: