Make logoff really work for Personas

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

This blog mentions personas, but the problem and solution is equal to any WebGUI scenario: you can log on, but never leave. Some changes were introduced in later NetWeaber ABAP version, making it impossible to logoff without further configuration that ensures the cookies and session are really deleted. The cause is that by default, the logoff ICF service is not active and the services like personas do not call the logoff service. You can find more information on this in SAP Note 1777513: WebGUI logoff does not work

Symptom

As an example, I’ll use SAP Screen Personas. Keep in mind the same happens when using WebGui. You log on to Personas and see your main menu: https://server:port/sap/bc/personas

Now you log off and hit F5 to reload the page. And you are logged on automatically. Meaning you were never really logged out of the system. What you want and need is to ensure that logout means logout. The following steps show how to achieve this by configuring the personas service to call the logoff service.

Solution

Logoff service

Transaction: SICF

Make sure the logoff service is active. If not, activate the service. This service is responsible for logging you out and deleting the cookies in the browser.

Personas service

Transaction: SICF

Change the personas service (or webgui service, etc).

Check the logoff settings under “Error Pages” > “Logoff Page”. By default there is no redirect activated, meaning that the logoff service is not called. Because of this you are not logged out, the cookies are not deleted.

Change to edit mode. Activate “Redirect to URL” and set as URL /sap/public/bc/icf/logoff.

Parameter: /sap/public/bc/icf/logoff.

Alternative

The above URL will log you out, but you won’t see any nice page that shows this. It may be a error page (404) or a blank page. To redirect the user again to the personas logon page, use the

Parameter: /sap/public/bc/icf/logoff?redirectURL=/sap/bc/personas.

Save.

Add the change to a request.

Done.

Test

Log on to the system via WebGui and then log off. You should see the logon page next time you try to access a service.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Initial setup of Personas 3 – 7 – Test Personas 3

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Final step to execute when configuring Personas for the first time is to check if it actually works. The health check tool shows that the configuration is OK; no more steps needed now to take Personas 3 for a test drive. It is time to access Personas 3! Best way to do so is to call Personas 3 from a browser. If you do not know already the URL of the app, you can call the ICF node directly from SICF.

  • Tx: SICF
  • Virtual Host: DEFAULT_HOST
  • Service Name: PERSONAS

Test service

This opens your default browser and automatically opens the personas app: /sap/bc/personas.

Wait, what? That`s Personas 3? Easy, look at the top middle of your screen.

Click it. Yeah, that`s Personas 3.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Initial setup of Personas 3 – 3 – Configure Personas properties

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

After activating the ICF personas node, you have to check that the GUI configuration parameters are correct. I guess this is just a validation step in case someone messes up with the standard values, as ootb the parameters are OK. Nevertheless, it makes sense to check if they are configured as they should be.

  • Tx: SICF
  • Virtual Host: DEFAULT_HOST
  • Service Path: /sap/bc/personas properties

Open the service configuration (double click) and then open the GUI configuration.

Click on GUI Configuration.

The service parameters must be equal to what the configuration document gives.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Initial setup of Personas 3 – 2 – ICF nodes

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Personas 3 is a web application. ICF is a pre-requisite. As flavors are based on WebGui, this is also a pre-requisite. For anyone that thinks he can use Personas 3 but not permit usage of WebGui: that`s not how it works (but there is the option to run Personas from within SAPGui). As you will need web skills for Personas, your users will use a browser to connect to SAP, and your SAP system must be prepared for this. Also, consider looking at your web landscape for SAP: consider that your users will access Personas 3 through a reverse proxy like Web Dispatcher. Nevertheless, you will have to activate some ICF nodes to be able to use Personas 3.

Activate ICF nodes

  • /default_host/sap/bc/personas
  • /default_host/sap/bc/personas3
  • /default_host/sap/bc/gui/sap/its/webgui

Tx: SICF

Node: default_host/sap/bc/personas

Activate service.

Node: /default_host/sap/bc/personas3

Activate service.

Yes

Node: /default_host/sap/bc/gui/sap/its/webgui

Activate service.

Test

Check the pre-requisites for having a working SAP WebGui installation. Validate that all services needed to run SAP WebGui are up and running. Not sure how to do that? Take a look at my previous blog on how to set up WebGui.

  • Tx: SICF
  • Virtual Host: DEFAULT_HOST
  • Service Path: /sap/bc/gui/sap/its/webgui

Filter

Test service

Result

Working.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Activation of SAP WebGui

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

To be able to benefit from SAP WebGui, you have to execute some initial configuration steps. These steps ensure that the services and the ICF nodes are correctly configured and mime files like JS, CSS, images are available and accessible by WebGui. More information about the necessary ICF configuration steps for WebGui can be found at SAP Help.

The services listed there for WebGui are:

  • /default_host/sap/public/bc/its/mimes
  • /default_host/sap/bc/gui/sap/its/

The URL to access SAP WebGui is: http(s)://<server>:<port>/sap/bc/gui/sap/its/webgui

For some reason the above linked SAP Help page is not listing all ICF nodes and steps needed to execute successfully WebGui. Especially when you have to set up a fresh installed NetWeaver system, several additional steps have to be executed to be able to use WebGui. In total, the steps involved in having a working WebGui are:

  • Base ICF nodes
  • Icons
  • Mime
  • Webgui
  • Publish services

Pre-requisites

The base ICF nodes must have been activated before.

Activate ICONS

  • Tx: SICF
  • Virtual host: DEFAULT_HOST
  • Service Patch: /sap/public/bc/icons

Filter

Activate

Activate MIMES

  • Tx: SICF
  • Virtual host: DEFAULT_HOST
  • Service Patch: /sap/public/bc/its/mime

Filter

Service

Activate Service

Yes

Activate WebGui

  • Tx: SICF
  • Virtual host: DEFAULT_HOST
  • Service Patch: /sap/bc/gui/sap/its/webgui

Filter

Service

Activate Service webgui

Publish services

The ICF nodes are activated, but that does not mean they are also executable in a fresh installed NetWeaver ABAP system. This is caused by that services are not automatically published to ITS after a system is newly installed. You have to do this manually. See
SAP Note 790727
for more on this. Luckily, SAP delivers a transaction that publishes all ITS services: SIAC_PUBLISH_ALL_INT

  • Tx: SIAC_PUBLISH_ALL_INTERNAL

Run it, nothing else to than to wait until the report finishes. You will get an overview presented.

Too much information? No worry, the most important part is the summary of number of messages in each category.

411 times no problems reported!

Test service

http://nw75.tobias.de:8000/sap/bc/gui/sap/its/webgui

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Initial setup of ICF

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

To be able to use of SAP NetWeaver ABAP ICF, for instance, to be able to log on via ICF, you need to activate some nodes. Check SAP Note 517484 for more details. Without these nodes activated, you cannot access SAP WebGui. For instance, accessing it via http://nw75.tobias.de:8000/sap/bc/gui/sap/its/webgui gives an error message.

Note: /sap/public/bc should already be active. It was at least in my fresh NW 7.5 installation.

  • Tx: SICF
  • Virtual Host: DEFAULT_HOST
  • Service Path /sap/public/bc/ur

Filter

Activate service

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Initial setup of SAP NetWeaver ABAP ICM for HTTP

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

SAPGui is just one way to access an SAP system. A more and more common way to interact and work with SAP is through a browser. As with all web sites, a web server must handle the browser requests. For SAP NetWeaver ABAP, the web server is ICM. ICM is integrated with NW ABAP, no need to install it as an additional package. The only task to be execute by BASIS is to configure ICM. First step is to validate that ICM is working and no errors are occurring. For a browser to be able to access NW ABAP through HTTP, ICM must be up and running and listening on a HTTP port. Without this port, no communication from a browser to NW ABAP is possible. To see the configured HTTP port of ICM, you can either look at the profile parameter or use SMICM to see the service information.

Check ICM HTTP Port configuration

  • Tx: SMICM

Goto -> Services

This shows the active services handled by ICM. As you can see, HTTP is just one of several possible services. SMTP is available, as can be telnet too! For each service you can see additional information like host name, and port. Port is given a 0. Check the ICM parameters to find out why. Also, take a look at SAP Help about this.

“Default Values AS ABAP

icm/server_port_0 = PROT=HTTP , PORT=0 , TIMEOUT=30 , PROCTIMEOUT=60

Outbound connections across HTTP and SMTP are possible with default values, but no ports for inbound connections are open.”

Configure ICM HTTP Port

Security first. That`s how SAP rolls. To allow someone accessing your SAP ABAP system via HTTP, you must explicitly activate this. Gives you also a hint if or if not SAP sees HTTP based access in ABAP as an equal citizen compared to SAPGui. To see the (default) parameter used by ICM, select:

Goto -> Parameters -> Display.

This will show you the parameters used by ICM. The ICM server parameters are given by icm/server_port_X.

Default parameter for HTTP is icm/server_port_0. Value for port is PORT=0. 0 meaning no incoming communication possible. A browser won`t be able to connect to NW ABAP. You have two options to change this: temporarily or permanent.

Change the HTTP port temporarily

  • Tx: SMICM

Goto -> Services

Select the service: Service -> Change.

In the dialog, enter the new parameters. For port, you can use 8080. Confirm the data to start the service.

This _should_ start the HTTP service using the informed port. In my case – obviously – this did not work.

Change the HTTP port permanently

As the above solution is only a temporary workaround, the error message can be ignored (well, not sure if it is an error message, looks green, OK, and so). To change the profile parameter of ICM, RZ10 is used. This makes the HTTP port change permanent.

  • Tx: RZ10
  • Profile: Default
  • Type: extended maintenance

Select create parameter

Values

  • icm/server_port_0
  • PROT=HTTP,PORT=80$$

Copy the parameter

The comment line changes and includes a change value. Also shows who did the change (blame).

Back at the parameter list, you can now see that the added parameter is listed.

Save the changes to the profile file.

Select yes to activate the new profile.

Confirmation that everything worked.

Note that you`ll have to restart your NW ABAP server to take effect.

Restart NW ABAP.

Test ICM HTTP Port

Did it work? How to test it? Easy: take a look at ICM service and access a service using a web browser. First, let`s see if ICM is listening on port 80$$ (btw: $$ is the ID).

SMICM

  • Tx: SMICM
  • Path: Goto -> Services

  • ICM is listening on port 8000 for HTTP connections!

SICF

Very easy to test. Just access a ICF node using your web browser.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Gateway – Activate ICF Services

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Gateway exposes services via HTTP, therefore the Gateway services must be activated on the NetWeaver ABAP system. As HTTP services are run by ICF, they are controlled by transaction SICF. The services to be activated for Gateway system that d not care about compatibility mode for SP02 are

  • /sap/public/opu
  • /sap/opu/odata

More information: SAP Help

These services are activated by activating the corresponding node and all sub elements.

Sap/public/opu

  1. Go to transaction SICF
  2. Execute and navigate to sap/public/opu

  3. Select Activate Service
  4. Select Yes

  5. Node is activated

/sap/opu/odata

  1. Go to transaction SICF

  2. Execute and navigate to sap/opu

  3. Select Activate Service
  4. Select Yes

  5. Node is activated

  6. Make sure that the handler for /sap/opu/odata is /IWFND/CL_SODATA_HTTP_HANDLER

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn