hybrid cloud: sap and ibm bluemix hybrid … cloud: sap and ibm bluemix 1 ... which exposes the sap...

Hybrid Cloud: SAP and IBM Bluemix

1

HYBRID CLOUD: SAP AND IBM BLUEMIX

PI 7.50 INSTALLATION, PI DEMO SETUP AND IBM

BLUEMIX ACCESS Volker Schoelles, SAP on IBM z Systems Development, IBM Research & Development, Boeblingen, Germany

The objective of this effort was to build a ‘mobile Flight’ App in Bluemix®. This ‘mobile Flight’ App can search, list and even book

flights. The mobile client part of the ‘Flight’ App can run under iOS or Android operated mobile devices (like iPhone, Galaxy, or

others). The ‘Flight’ App server is running on the IBM MobileFirst™ Platform (MFP) under Bluemix. The App accesses flight data of

an “SAP on IBM® z Systems®” Process Integration (PI) system.

The following documents the setup of the necessary infrastructure to allow the Bluemix App access to data of the SAP PI Demo

scenarios. These scenarios show the PI usage for flight searching, listing and booking for a travel agency working with different

airlines and their SAP systems.

This is a Hybrid Cloud scenario. It describes how to setup the infrastructure to enable a Bluemix (Cloud) MobileFirst App to access

data of an SAP Process Integration on-premise system. Access to SAP data is through the SAP NetWeaver Gateway which exposes

demo data thru OData services. On the other side, the Bluemix Secure Gateway service which runs on a Ubuntu on z Systems LPAR,

needs to be set up to allow the Bluemix MFP ‘Flight’ App access to the SAP NetWeaver Gateway.

The demo data is defined within several PI Demo scenarios which include a travel agency booking flights of two different airlines.


2

CONTENTS

Overview .................................................................................................................................................................................................... 3

PI ABAP Stack Installation with SWPM 1.0 SP17 ........................................................................................................................................ 5

PI Java Stack installation .......................................................................................................................................................................... 12

PI Demo setup .......................................................................................................................................................................................... 27

Activate SAP NetWeaver Gateway and publish the service for the PI Demo .......................................................................................... 68

Install a Bluemix Secure Gateway under Ubuntu for IBM z Systems ....................................................................................................... 73


3

OVERVIEW

A mobile device accesses the IBM MobileFirst cloud service. The MobileFirst cloud implementation uses an SAP adapter to talk with

the Bluemix Secure Gateway service. This service opens a secure communication path to the Ubuntu Secure Gateway client running

in the Demilitarized Zone (DMZ). The Secure Gateway client opens a tunnel thru another firewall to the SAP NetWeaver Gateway

which exposes the SAP flight demo data as an OData service.

In the overview figure the mentioned infrastructure components are marked by red ovals and the communication path by a red

arrow.

A more detailed view of the communication is shown in the next figure.


4

The SAP PI on IBM z Systems (or any other supported platform) running on-premise is on the right side of the figure. The SAP

NetWeaver Gateway is part of the ABAP stack of the PI 7.50 system. It is running under SUSE Linux Enterprise Server (SLES). The

SAP Application and the NetWeaver Gateway sit behind a firewall which allows communication via the standard port of the SAP

Internet Connection Manager (ICMAN).

The Bluemix Secure Gateway (BSGw) client is running on an Ubuntu Linux on another system in the Demilitarized Zone (DMZ). The

BSGw client talks to the SAP system on one side, and on the other side thru another firewall with its BSGw server running in the

Bluemix cloud. For secure https communication, the standard 443 port is used.

A MobileFirst App deployed in Bluemix can now talk to the BSGw server to get data from or put data on the SAP on-premise backend

via an SAP adapter.

These steps in setting up this infrastructure are described:

First, the installation of an SAP 7.50 PI system: The SAP installation documentation used is listed, but its information is not

repeated here. Only the problems that occurred during the process and how they were solved are described. Also, not all

input is shown in the screen shots. It is assumed that the installer has some experience in installing SAP on IBM z Systems.

Next, the setup of the PI Demo scenarios is described. Again, the SAP documentation is not repeated, only the issues and

their solutions.

Part three describes how to activate the SAP NetWeaver Gateway and how to publish the OData service for the PI Demo

scenarios.

The last part shows how to setup and configure the Bluemix Secure Gateway client under Ubuntu for z Systems. This client

is needed and used when defining a Bluemix Secure Gateway Service.

DMZ


5

ABAP STACK INSTALLATION WITH SWPM 1.0 SP17

SAP documentation used:

Installation Guide

Software Provisioning Manager 1.0

Document Version: 2.3 – 2016-06-06

Installation of SAP Systems Based on the Application Server ABAP of

SAP NetWeaver 7.1 to 7.5 on UNIX: IBM DB2 for z/OS

Link to current version 2.4: ABAP Installation Guide 2.4

The database was already installed. Its installation is not documented here.

Ran the SAP installation tool in a GUI (for example VNCclient) session. The SAP installation media was unpacked with the SAPCAR

utility as shown:

ihlscob6:/tmp/sapinst_instdir # /usr/sap/ZDE/SYS/exe/uc/linuxs390x/SAPCAR -xvf

/common/sapdvds/zscsinst_test/SWPM10SP17/zLin/SWPM/SWPM10SP17_0-20009612.SAR

ihlscob6:/tmp/sapinst_instdir # ./sapinst

Selected the ABAP ‘Standard System’ as shown below:

Used SID “ZPI” and set the ‘Global Password’.

https://websmp206.sap-ag.de/~sapidb/012002523100010954532014E


6

The CLI Driver location in this case was:

ihlscob6:/common/DB2_Connect/V111_FP0_SB35553/LINUX_S390X_64/clidriver # clidriver.SAR

Note that /common is an NFS mounted file system. Its exporting NFS server runs under Linux on z Systems.

Next step was the collection of the database specific input for the DB2 connect parameters.

In our case, they were derived from our Database Provisioning System (DPS): Resources DB2 Subsystems Communication.

Hint: You probably have to request them from your DB2 database administrator.


7

SAP DVDs were located in below directory after being downloaded from SAP Marketplace:


8


9

For simplicity the installation was done with a local SLD.

The “Summary” screenshots are not shown here. The installation started.

The error occurred that a DB2 package was not found:

ihlscob6:/tmp/sapinst_instdir/NW750/DB2/INSTALL/STD/ABAP # cat R3load.exe.log


10

/usr/sap/ZPI/SYS/exe/uc/linuxs390x/R3load: START OF LOG: 20160726163601

(BLD) INFO: sccsid "@(#) $Id: //bas/745_STACK/src/R3ld/R3load/R3ldmain.c#4 $ SAP"

(BLD) INFO: kernel release 745 [UNICODE]

(BLD) INFO: data format 1.8

(BLD) INFO: patch number 201

(BLD) INFO: compiled on "Jul 11 2016 10:48:58"

(PRC) INFO: working directory "/tmp/sapinst_instdir/NW750/DB2/INSTALL/STD/ABAP"

(PRC) INFO: called "/usr/sap/ZPI/SYS/exe/uc/linuxs390x/R3load -testconnect"

(PRC) INFO: process id 35490

(LOG) INFO: log level: 1

(LOG) INFO: log format: classic

DbSl Trace: DB2 Call 'SQLExecDirectW' Error: SQLCODE = -805 : [IBM][CLI Driver][DB2] SQL0805N

Package "COBZP75.SAP1101U.SYSLH100.5359534C564C3031" was not found. SQLSTATE=51002

(DB) ERROR: db_connect rc = 256

DbSl Trace: DB2 Call 'SQLExecDirectW' Error: SQLCODE = -805 : [IBM][CLI Driver][DB2] SQL0805N

Package "COBZP75.SAP1101U.SYSLH100.5359534C564C3031" was not found. SQLSTATE=51002

(DB) ERROR: DbSlErrorMsg rc = 99

/usr/sap/ZPI/SYS/exe/uc/linuxs390x/R3load: job finished with 1 error(s)

(STAT) DATABASE times: 0.304/0.026/0.026 100.0%/100.0%/100.0% real/usr/sys.

/usr/sap/ZPI/SYS/exe/uc/linuxs390x/R3load: END OF LOG: 20160726163601

Added the Package / Collection ID manually with db2radm utility:

/sapmnt/ZPI/exe/uc/linuxs390x/db2radm -m db2i -P 11003 -L COBZP75 -H boecob3h -C SAP1101U -u VSCH -p ******** -W

primary_only

The installation finished successfully:


11

After the installation it is necessary to do the initial setup steps as described in:

https://websmp103.sap-ag.de/~sapidb/012002523100010638182014E : (Automated Initial Setup of Systems Based on SAP

NetWeaver ABAP)

/nstc01:

SAP_BASIS_SETUP_INITIAL_CONFIG

SAP_BASIS_SYSTEM_CONFIG_CHECK

SAP_BASIS_SSL_CHECK



12

JAVA STACK INSTALLATION


Installation Guide

Software Provisioning Manager 1.0

Document Version: 2.3 – 2016-06-06

Installation of SAP Systems Based on the Application Server Java of

SAP NetWeaver 7.1 to 7.5 on UNIX: IBM DB2 for z/OS

Link to current version 2.4: Java Installation Guide 2.4

Ran sapinst as described above for ABAP installation. Selected Java ‘Standard System’ as shown below:



13


14

SAPJVM8.SAR could be found in:

ihlscob6:/common/sapdvds/Kernel_zLin_745/DATA_UNITS/K_745_U_LINUX_S390X_64/DBINDEP # ls -l

SAPJVM8.SAR

-r-xr-xr-x 1 root root 282537666 Nov 13 2015 SAPJVM8.SAR

Used “SID” ZPJ.


15

In the ‘Software Package Browser’ screen I removed the first line under Media Location since it was duplicate.


16

At this step (during the input parameter selection of the Java installation) I stopped, because I had to do the definitions described in the Java Installation Guide under:


17

5.7 Preparing an External ABAP System as Source for User Data

I created the roles and user described there. Then the installation progressed with the following screen:

I do not include here the “Summary” screenshots. The installation started and ended successfully:


18

Remark: When I tried to start NWA (NetWeaver Administrator) application (ihlscob6.boeblingen.de.ibm.com:50400/nwa), I got a

‘remote access’ error. The fix is described in SAP Note 1451753 - Filtering of administration requests for AS Java

https://launchpad.support.sap.com/#/notes/0001451753


19

7.10 PI: Configuring the Process Integration System after the Installation

After you have completed the installation of SAP NetWeaver, you need to set up the basic configuration. You can use the Central

Technical Configuration (CTC) Wizard to automate the configuration tasks.

To configure the Process Integration (PI) system, I executed the “NetWeaver initial setup” CTC Wizard as described in SAP Note

1309239.

CTC Wizard: Select Functional Unit "SAP NetWeaver Process Integration (PI)"

I selected ‘Simple User Name and Password Policy’ for the users that were offered by the installation tool.



20


21


22


23


24

Hit the following error:

Found SAP NOTE: 1305716 - PI CTC: Product version 'SAP NETWEAVER PI 7.x' not found.

It refers to SAP NOTE: 669669 - Update of SAP System Component Repository of SLD


25

Downloaded 3 files:

Imported first cimsap, then crdelta11xxx, and finally crdelta12xxxx

Got error: “No RFC authorization for function module RFCPING” User PI_JCO_RFC needed also role

SAP_BC_JSF_COMMUNICATION, had only SAP_BC_JSF_COMMUNICATION_RO.

Got error: “Caller J2EE_GST_ZPJ not authorized, required permission missing” Added role SAP_J2EE_ADMIN with ‘SAP ALL’ rights

for user J2EE_GST_ZPJ.

CTC finished successfully:


26

Ran Enterprise Services Repository CTC successfully:

Now the PI system is installed and configured. Next step is to setup the PI system to run the PI Demo scenarios.


27

PI DEMO SETUP


SAP NetWeaver 7.40:

SAP NetWeaver Process Integration - Demo Example Configuration

Document Version 1.0 – October 2013

Document link

All setup steps described in this document follow this documentation, and I will always highlight the chapter titles. From the

prerequisite list, I did only step 5 (SAP Note 517484).

Below find the problems and hurdles described that were encountered during this exercise.

In chapter 4.5.1: Creating Communication Parties for B2B Communication

Needed to create PIDIRUSER (copied from PICACHEUSER) with standard password as system user with roles described in:

https://scn.sap.com/thread/1282671

In chapter 4.5.2: Defining Communication Components

Following error showed up when trying to assign a Business System:

InternalEOAService BusinessSystemAccessor failed

First created or checked the following users. The CTC wizard had not created all users, or, to be more precise, had created some of

the users ending with the SID ZPJ, like PIDIRZPJ.

Service User Description Assigned Role

PILSADMIN User for the Change Management Server SAP_XI_CMS_SERV_USER

PIREPUSER User for the Enterprise Services Repository SAP_XI_IR_SERV_USER_MAIN

PIDIRUSER User for the Integration Directory SAP_XI_ID_SERV_USER_MAIN

PILDUSER User for the System Landscape Directory (SLD) SAP_BC_AI_LANDSCAPE_DB_RFC

PIAPPLUSER User for sender applications SAP_XI_APPL_SERV_USER

PIRWBUSER User for the Runtime Workbench SAP_XI_RWB_SERV_USER_MAIN

PIAFUSER User for the Advanced Adapter Engine SAP_XI_AF_SERV_USER_MAIN

PIISUSER User for the Integration Server SAP_XI_IS_SERV_USER_MAIN

PIPPUSER User for principal propagation SAP_XI_APPL_SERV_USER

http://go.sap.com/documents/2015/08/f02e27e2-557c-0010-82c7-eda71af511fa.html




28

As next step, I checked the log of the Java application server. Started NetWeaver Administrator, then Troubleshooting Logs and

Traces Log Viewer: PIDIRUSER login to SLD fails.

Solution is described in an SAP customer record. It contains the following recommendation:

Please check all passwords in the NWA's Configuration ---> Infrastructure ---> Java System Properties ---> Services ---> XPI Service: AII

Config Service section.

Make sure all of these passwords are set correctly, especially com.sap.aii.directory.serviceuser.pwd.

After I modified all the passwords mentioned there and set them explicitly to the master PWD, the access to SLD worked.

Got another error: “Java exception when generating the Web Services Communication Channels”. Ignored this as I did not want to

implement the Web Services scenarios.

In chapter 5.1.2 Configuration in Integration Directory

Step 8. Choose Close.

“The system calls the model configurator. The process integration scenario CheckFlightSeatAvailability is displayed in a graphical

editor.”

Following warning popped up after hitting the ‘Close’ button:

Ignored this warning. Assumed that it may be caused by the failed generation (Java exception) of the WebServices communication

channels.

In the same chapter, another error message was shown when executing under header “Generating the Configuration Objects” the

step:

5. Choose Start:

The objects are generated. The generation log is called.


29

Found following SCN forum entry: https://scn.sap.com/thread/3831882. It says that the solution is to correct the Software

Component Version (SCV) in the Integration Builder (BI)! In the listed (and other) objects the SCV was something like ID:

7e9a3ca….424100 (see below screen shot)! Changed this to “SAP BASIS 7.50” which is the expected SCV!

Attention: You need to remember some of the ‘settings’ as they were before the change, and add them after the change again.

I noted the settings via screenshots.



30

Then ran the step again and could go on.


31

In chapter 5.1.3 Executing and Testing

In client 105 ran tx SXIDEMO. It shows following error: “XI system error; No receiver could be determined”.

Solution was to refresh the XI cache with SAP transaction SXI_CACHE

I followed the instructions of the document: “How to Configure the ABAP Cache Refresh” Document link

Then it worked, see next screenshot:

https://archive.sap.com/documents/docs/DOC-66709


32


33

5.2 Booking a Single Flight (Proxy-to-Proxy Communication)

Also had wrong Software Component Version for objects in this scenario. Fix is as described above.


34


35

After saving and activating the objects with correct SCV, still the scenario did not work.

Checked in client 001 with transaction (tx) sxmb_moni under ‘Monitor for processed XML messages’ listed errors. Found:

Caused by wrong Software Component Version in object. Did a refresh of the cache (tx sxi_cache) in client 001 (the Integr. Server).

Now neither scenario 1 nor scenario 2 (this one) worked.

Found the document “How to: SAP PI Cache Refresh” www.sapbasistuts.com/home/sap-pi/sap-pi-administration/sap-pi-cache-

refresh---how-to-document

Did all steps mentioned in that document, but the scenario 1 CheckFlightSeatAvalability was still NOT working.

Checked again all objects in Integration Builder (IB) for their Software Component Version. Receiver Agreement ZPI_105 | ZPI_107

SXIDEMO_AIRL_FLIGHT_CHECKAVAIL was still wrong!

After correction and tx SXI_CACHE refresh Scenario 1 worked again.

Scenario 2 BookSingleFlight still failed with:

Unable to find resource 0050568f-0aac-1ed4-a6e5-6926325e2eb3 in the following software component versions:

sap.com/xi/XI/Demo/Agencycom/sap/xi/tf/_BookingOrder_Agency2Airline_.class-1

So it seemed that there is still a wrong SCV. In the IB I changed:

1. All ‘MultipleFlightBookingCoordination’ Receiver Agreements to SAP BASIS 7.50. 2. Deleted in ZPI_106 | FlightBookingOrderConfirmation_Out the ‘local rule’.

Still got an error. Eventually the solution is described in SAP Note 1377033 - How to perform a Single Repository Object Cache

Refresh https://launchpad.support.sap.com/#/notes/0001377033:

Goto http://ihlscob6.boeblingen.de.ibm.com:50400/rep/support/admin/index.html and logon as user PISUPER.

Under Runtime select ‘Cache Overview’ and then fill out: Single ES Repository Object Cache Refresh fields for Object Type MAPPING

(interface mapping / object mapping) and XI_TRAFO (message mapping).

Attention: I used Mozilla Firefox to do the refresh.

Internet Explorer did not work for me and it took me quite some time to find this out.

http://www.sapbasistuts.com/home/sap-pi/sap-pi-administration/sap-pi-cache-refresh---how-to-document

http://www.sapbasistuts.com/home/sap-pi/sap-pi-administration/sap-pi-cache-refresh---how-to-document

http://sap.com/xi/XI/Demo/Agencycom/sap/xi/tf/_BookingOrder_Agency2Airline_.class-1


http://ihlscob6.boeblingen.de.ibm.com:50400/rep/support/admin/index.html


36


37

Get the “Operation Mapping” Object ID from Integration Builder:

SCV is what is listed in the error message: 0050568f0aac1ed4a6e56926325e2eb3

Get “Message Mapping” Object ID from Integration Builder:


38

Checked the CPA Cache Properties (NWA -> Configuration -> Infrastructure -> Java System Properties):

Here, XIAFUser is defined, but it does NOT exist in the system, only PIAFUSER exists. Changed to PIAFUSER (custom calculated value).


39

Need to do CPA cache refresh for (mapping refresh) for further objects:

Then run tx SXI_CACHE refresh.

Success, SingleFlightBooking worked:


40

Backed up the ZP75 Database.


41

5.3 Booking Connecting Flights (Proxy-to-Proxy Communication)

Further wrong Software Component Version of IB objects and CPA cache updates needed:


42


43

Further Operation and Message Mappings missing. Fix as described above (Single ES Repository Object Cache Refresh):


44

These Operation and Message Mappings were missing:


45


46


47

After all of the above Operation and Message Mappings were refreshed in the ES Repository Object cache, another PI cache refresh was additionally needed.

Ran tx SXI_CACHE to refresh the cache. Now the 3rd Scenario worked:


48

Going to implement scenario 1 with “Proxy-to-RFC RFC Communication”:

49

6.1 Checking Flight Seat Availability (Proxy-to-RFC Communication)

Another wrong Software Component Version of IB objects:

Fixed wrong SCV as described above.

In step 6.1.2 Executing and Testing the scenario did not work. Got following error in transaction sxmb_moni:

<?xml version="1.0" encoding="UTF-8" standalone="true"?>



<SAP:Error xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SAP="http://sap.com/xi/XI/Message/30"

SOAP:mustUnderstand="1"><SAP:Category>XIServer</SAP:Category><SAP:Code

area="INTERNAL">CLIENT_SEND_FAILED</SAP:Code><SAP:P1>404 </SAP:P1><SAP:P2>Not

found</SAP:P2><SAP:P3>(See attachment HTMLError for details)</SAP:P3><SAP:P4/><SAP:AdditionalText/><SAP:Stack>Error

while sending by HTTP (error code: 404 , error text: Not found) (See attachment HTMLError for details)

</SAP:Stack><SAP:Retry>A</SAP:Retry></SAP:Error>

Searched in Google for “http://sap.com/xi/XI/Message/30 client_send_failed 404” and found as first hit: http://scn.sap.com/thread/3475138, which says check RFC connection.

Changed in client 107 the XIDEMO_APPL user to a system user. It was defined as dialog user and was locked.

http://scn.sap.com/thread/3475138


50

Running the scenario still resulted in 404 error.

Set the trace level of the Integration Engine to 2 to get more information on the problem:

The higher trace level showed that the error was hit when reading SAP_XIAdapterFramework from SLD The call http://ihlscob6.boeblingen.de.ibm.com:50200/MessagingSystem/receive/AFW/XI was the one which returned http 404 !

Configured with the CTC Wizard the Advanced Adapter Engine. SAP Note 1314855 - Configuration Wizard: PI-AF initial setup

http://ihlscob6.boeblingen.de.ibm.com:50200/MessagingSystem/receive/AFW/XI



51

The CTC Wizard ran into error: Cannot read Exchange Profile with user PIDIRUSER.


52

Changed password of PIDIRUSER in RFC destination:


53

Now: Accessing ihlscob6.boeblingen.de.ibm.com:50400/exchangeProfile with PIDIRUSER returned a different error: No RFC authorization for function module LCRDB_GET_PROFILE.

Added SAP_ALL profile to PIDIRUSER:


54


55

Now it worked, access to Exchange Profile was possible and configuration of the Advanced Adapter Engine was successful.

The CTC Wizard ended successfully.

But I still got http error 404 when testing the scenario. I looked again at the url and especially the port. The used port 50200 is the port of the ABAP instance! My experience is that this must be the port of the now separate Java instance.

I ran http://ihlscob6.boeblingen.de.ibm.com:50400/MessagingSystem/receive/AFW/XI with PIISZPJ user (as in trace) and this url works:

http://ihlscob6.boeblingen.de.ibm.com:50400/MessagingSystem/receive/AFW/XI


56

So the wrong port was used! Checked the SLD. The Java AS was not defined as Business System. Defined it, but still got wrong port in url.

Found SAP Note 1556705 “XI runtime: AFW URL with HTTP instead of HTTPS”. It says that the port is taken from an

Exchange Profile parameter. Therefore, I changed it.

Changed in Exchange Profile the port from 50200 to 50400:



57

Attention: To activate such a change, the adapter entry in the ‘Adapter Engine Connection Data Cache’ must be deleted. You

get there by calling tx sxi_cache, press in the menu bar ‘Goto’ and select ‘Adapter Engine Cache’.

Now I got: Unable to check flight availability. Error Type: XI System error

The XML message trace showed that the wrong user was used, PIISZPJ instead of PIISUSER:


58

Changed in Exchange Profile: com.sap.aii.integrationserver.serviceuser.name from PIISZPJ to PIISUSER.

Attention: Ignore the message that PISUPER has not the permission to do the change, it works!

Attention: To activate such a change in the PI cache, the Adapter entry in the ‘Adapter Engine Connection Cache’ must be deleted as

described earlier.

Now I got the error: XI System Error

Unable to find resource 0050568f-0aac-1ed4-a6e5-6926325e2eb3 in the following software component versions

http://sap.com/xi/XI/Demo/Agencycom/sap/xi/tf/_FSACheck_Agency2AirlineRFC_Resp_.c~-1

Caused by wrong Software Component Version in object Agency2AirlineRFC. Changed it in IB and activated the change. Refreshed the cache (tx sxi_cache) in client 001 (Integr. Server). Also needed to do a CPA cache refresh for that object:

Get object ID info in ESR for the object:

http://sap.com/xi/XI/Demo/Agencycom/sap/xi/tf/_FSACheck_Agency2AirlineRFC_Resp_.c~-1


59

Goto http://ihlscob6.boeblingen.de.ibm.com:50400/rep/support/admin/index.html and login with user PISUPER. Under Runtime select ‘Cache Overview’ and fill out: Single ES Repository Object Cache Refresh fields as already described above (use as SCV: 0050568f0aac1ed4a6e56926325e2eb3).

http://ihlscob6.boeblingen.de.ibm.com:50400/rep/support/admin/index.html


60

Same for:


61

Did full SXI_Cache refresh and CPA Cache refresh and the scenario worked:


62

An additional update was needed for the ‘non existing flight’ test case:


63

6.2 Booking a Single Flight (Proxy-to-IDoc Communication)

When activating the IB changes, I got again the error that several objects do not exist, because the SCV is wrong:


64


65

Further Operation and Message Mapping missing. Fix as described above:


66

Did a SXI_CACHE update. Next wrong SCV:

<SAP:Stack>Unable to find resource 0050568f-0aac-1ed4-a6e5-6926325e2eb3 in the following software component versions: http://sap.com/xi/XI/Demo/Agencycom/sap/xi/tf/_BookingOrder_Agency2AirlineIDoc_.c~-1 </SAP:Stack>

Also needed to do a CPA cache refresh for that object. Under Runtime select ‘Cache Overview’ and then fill out: Single ES Repository Object Cache Refresh fields… as already described above… (used as SCV: 0050568f0aac1ed4a6e56926325e2eb3).

Then the scenario worked:


67

The IDoc display is under SAP Menu → Tools → ALE → ALE Administration Monitoring IDoc Display Display.

I stopped implementing further scenarios here as five are working now and deliver data which can be used for our Demo

App.


68

ACTIVATE SAP NETWEAVER GATEWAY AND PUBLISH THE SERVICE FOR THE PI DEMO SERVICE

How to activate the SAP NW Gateway

Call tx spro --> Click on 'Display SAP Reference IMG' --> Open 'SAP NetWeaver' --> Open 'SAP Gateway' --> Open 'OData Channel' -->

Open 'Configuration' and click to activate the SAP NetWeaver Gateway:


69

How to create and activate a service in the NetWeaver Gateway

Close 'Configuration' --> Open 'Administration' and click on 'Activate and Maintain Services':

Click on 'Add Service' button, search for *FLIGHT* and then ‘Select Backend Service "ZRMTSAMPLEFLIGHT_2". I used package $TMP

as I use this service locally.

Click on 'Continue/Enter':

When I tested the service via ‘Call Browser’ I got the http status code 403: forbidden! Needed to activate the service

rmtsampleflight_2 via tx sicf:


70


71

Browser test resulted then in:

Click ‘Add System Alias’ to add ‘LOCAL’ to the service. Then in ‘SAP Gateway Client’ the test for GET method shows collections /

data:


72

The fully qualified url like:

http://ihlscob6.boeblingen.de.ibm.com:50200/sap/opu/odata/IWBEP/RMTSAMPLEFLIGHT_2/FlightCollection/?sap-client=105

returned real data in Mozilla brower.

Hint: Troubleshooting an SAP Netweaver Gateway Service: https://blogs.sap.com/2013/08/09/frequent-problems-encountered-in-

netweaver-gateway-service-development/

https://blogs.sap.com/2013/08/09/frequent-problems-encountered-in-netweaver-gateway-service-development/

https://blogs.sap.com/2013/08/09/frequent-problems-encountered-in-netweaver-gateway-service-development/


73

INSTALL A BLUEMIX SECURE GATEWAY UNDER UBUNTU FOR IBM Z SYSTEMS

Prerequisite is a Bluemix user account. Downloaded the native installer for Ubuntu for IBM z Systems via:

https://console.ng.bluemix.net/docs/services/SecureGateway/sg_025.html#sg_050

1. Copied ibm-securegateway-client-1.6.0+client_s390x.deb from Windows to lnxsabgw (used WIN SCP)

Check md5 sum:

vsch@lnxsabsg:~$ md5sum ibm-securegateway-client-1.6.0+client_s390x.deb

ea2133b7263d7b65ceef8dd4572abe98 ibm-securegateway-client-1.6.0+client_s390x.deb

ea2133b7263d7b65ceef8dd4572abe98 is OK...

2. Used bash shell to install the package with

vsch@lnxsabsg:~$ sudo dpkg -i ibm-securegateway-client-1.6.0+client_s390x.deb

Provided as input parameters for the following questions:

a) Supply ACL File, each gateway separated by spaces: /etc/ibm/zpiacl.txt

b) Would you like to use the client UI (Y/N): Y

vsch@lnxsabsg:~$

Created the ACL file zpiacl.txt in /etc/ibm with 644 permissions and with following content. This allows access to port 50200, where

the SAP InternetConnectionManager (ICMan) is listening for http requests:

vsch@lnxsabsg:/etc/ibm$ cat zpiacl.txt

acl allow ihlscob6.boeblingen.de.ibm.com:50200

Started the SG with /usr/bin/sudo /bin/systemctl start securegateway_client

Checked the running client with: cat /var/log/securegateway/client_console_2016_10_12.log

Attention, the log name changes over time as it contains a date.

Stopped the SG with /usr/bin/sudo /bin/systemctl stop securegateway_client

Changed the configuration file /etc/ibm/sgenvironment.conf. It was created empty! In order to find out the syntax of entries,

searched for the filename in Google, which resulted in:

https://developer.ibm.com/clouddataservices/access-an-on-premises-db2-data-server-from-the-bluemix-cloud/

The adapted contents for the connection did not work. Found in the script which starts the SG

/usr/local/bin/securegateway_clientd

the start command:

(cd /opt/ibm/securegateway/client; LANGUAGE=$LANGUAGE /usr/local/bin/node lib/secgwclient.js $SECGW_GATEWAYID

$SECGW_ARGS >> /var/log/securegateway/$LOG_FILE.log 2>&1)

https://console.ng.bluemix.net/docs/services/SecureGateway/sg_025.html#sg_050

https://developer.ibm.com/clouddataservices/access-an-on-premises-db2-data-server-from-the-bluemix-cloud/


74

Set the parameter $SECGW_ARGS to the correct parameters in order to make the SG work. Finally, the SG started correctly with the

following entries in the /etc/ibm/sgenvironment.conf file. The GW ID and Security Token are taken from Bluemix:

vsch@lnxsabsg:~$ sudo cat /etc/ibm/sgenvironment.conf

#Restart Client

RESTART_CLIENT=Yes

# Configuration ID to connect

# If manually modifying the following, accepted values are:

GATEWAY_ID=pw2us1NwRgG_prod_eu-gb

export SECGW_GATEWAYID=$GATEWAY_ID

# Security Token for this Configuration ID (if any)

SECTOKEN=**************************************************************************************************

**************************************************************************************

Note: Please add here the real security token from the Bluemix GW service.

# Access Control List File

# If manually modifying the following, accepted values are the absolute path to your ACL file

ACL_FILE=/etc/ibm/zpiacl.acl

Args=" --F "$ACL_FILE" --t "$SECTOKEN

export SECGW_ARGS="$Args"

Ran in browser the icman ping to see if the correct response is shown:

http://caplonsgprd-3.integration.ibmcloud.com:15363/sap/public/icman/ping

Result: server on host ihlscob6 system ihlscob6_ZPI_02 (000) successfully reached

http://caplonsgprd-3.integration.ibmcloud.com:15363/sap/public/icman/ping


75

The following figure shows how to find the host and port used by the SG service under Bluemix:

Then did a cat of the log /var/log/securegateway/client_console_2016_10_12.log:

[2016-10-12 19:08:28.495] [INFO] (Client ID 57477) No password provided. The UI will not require a password for access

[2016-10-12 19:08:28.508] [WARN] (Client ID 57477) UI Server started. The UI is not currently password protected

[2016-10-12 19:08:28.508] [INFO] (Client ID 57477) Visit localhost:9003/dashboard to view the UI.

[2016-10-12 19:08:28.756] [INFO] (Client ID 57483) Setting log level to INFO

[2016-10-12 19:08:28.767] [WARN] (Client ID 57483) The ACL file provided during startup will not be imported until a connection has

been established to your gateway.

[2016-10-12 19:08:29.049] [INFO] (Client ID 57483) The Secure Gateway tunnel is connected

[2016-10-12 19:08:29.156] [INFO] (Client ID pw2us1NwRgG_vcU) Your Client ID is pw2us1NwRgG_vcU

[2016-10-12 19:08:29.158] [INFO] (Client ID pw2us1NwRgG_vcU) Synchronizing ACL rules


76

[2016-10-12 19:08:29.159] [INFO] (Client ID pw2us1NwRgG_vcU) The current access control list is being reset and replaced by the

user provided batch file: /etc/ibm/zpiacl.acl

[2016-10-12 19:08:29.160] [INFO] (Client ID pw2us1NwRgG_vcU) The ACL batch file process accepts acl allow

ihlscob6.boeblingen.de.ibm.com:50200

[2016-10-12 19:12:20.157] [INFO] (Client ID pw2us1NwRgG_vcU) Connection #1 is being established to

ihlscob6.boeblingen.de.ibm.com:50200

[2016-10-12 19:14:27.477] [ERROR] (Client ID pw2us1NwRgG_vcU) Connection #1 to destination

ihlscob6.boeblingen.de.ibm.com:50200 had error: ETIMEDOUT

pw2us1NwRgG_vcU> vsch@lnxsabsg:/etc/ibm$

Got EtimedOut error when trying to establish a connection to the zSAP backend.

Searched again in Google and found:

Are you hitting the ETIMEDOUT while the Secure Gateway Client is attempting to connect to your gateway? If that's the case, make

sure that outbound traffic is allowed on ports 443 and 9000.

Needed to setup two new firewall rules here:

I. Allow the lnxsabsg machine to use port 443 (https) outbound

II. Allow the lnxsabsg machine to use port 50200 (SAP icman of ZPI system) outbound

Now the SG was ready to be used and worked as expected.

Calling the PI Backend via the Bluemix Secure GW and NetWeaver GW thru Odata service via a browser shows for example following

xml formatted SAP flight data:


77


78

SUMMARY

Installation of the PI 7.50 system was basically a standard installation effort.

It was quite an experience and challenge to set up the PI Demo scenarios in an SAP PI 7.50 System, which is no longer based on SAP’s

dual stack architecture, but instead on two separate SAP SIDs, one for PI’s ABAP stack and another on for PI’s Java stack. Given the

many hurdles, I hope that SAP will release some time in the future a new version of the PI Demo setup documentation. In the

meanwhile above technical information may help.

Activating the SAP NetWeaver Gateway and the OData service was straight forward. The same hold true for setting up the Bluemix

Secure Gateway under Ubuntu for IBM z Systems.

So in general opening up an on-premise SAP system for secure access from IBM Bluemix cloud was a relatively easy task, once you

understand all the parts playing a role in this infrastructure game.

Building a mobile Application on top of that running in IBM Bluemix which reads, inserts, updates and deletes data of the on-premise

SAP system is a different story.

Share this document with other users and experts. The document is available in the SAP on IBM z Systems Community at IBM

developerWorks. You are welcome to comment or ask questions there as well.

https://www.ibm.com/developerworks/community/groups/service/html/communitystart?communityUuid=f200cb29-8f67-40d2-b44b-ea57838ba0ba


79

© Copyright IBM Corporation 2017

IBM Corporation Systems Group

Route 100 Somers, NY 10589

April 2017

IBM, the IBM logo, ibm.com, Bluemix, DB2, developerWorks, MobileFirst, z/OS, and z Systems are trademarks or registered

trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM

trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols

indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may

also be registered or common law trademarks in other countries.

A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at:

ibm.com/legal/copytrade.shtml

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

LinkedIn, the LinkedIn logo, the IN logo and InMail are registered trademarks or trademarks of LinkedIn Corporation and its affiliates

in the United States and/or other countries.

Other product, company or service names may be trademarks or service marks of others.

This document is current as of the initial date of publication and may be changed by IBM at any time.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in

which IBM operates.

https://www.ibm.com/legal/us/en/copytrade.shtml

hybrid cloud: sap and ibm bluemix hybrid … cloud: sap and ibm bluemix 1 ... which exposes the sap...

Documents