xi operations - adfahrer...©sap ag 2006, xi operations / andreas stolz / 2 learning objectives as a...
TRANSCRIPT
© SAP AG 2006, XI Operations / Andreas Stolz / 2
Learning Objectives
As a result of this workshop, you will be able to:Describe Process Integration system setup in regards to High Availability and ScalingUnderstand and adapt the Exchange Infrastructure’s User Management and Authorization conceptUnderstand how the NetWeaver Web Application Server’s Security Infrastructure is used within Process IntegrationDefine and implement a monitoring concept for Process IntegrationUnderstand Process Integration’s house keeping jobs
© SAP AG 2006, XI Operations / Andreas Stolz / 4
XI 3.0 Components in SAP Web AS 6.40
ABAP
ICMCentral Monitoring
Business Process Engine
JRFC
J2EE
Adapter Engine
HTTP(s)
HTTP(s)
OpenSQLfor Java
OpenSQLfor ABAP
SLD
Integration Builder (IR, ID)
Runtime Workbench
XI Tools
Mapping runtimeIntegration Engine
© SAP AG 2006, XI Operations / Andreas Stolz / 5
High Availability?
Add-In Central Instance
WebA
SA
BA
P
ABAPDispatcher
WorkProcess
Gateway
Internet Connection Manager
WebA
S Java
JavaDispatcher
ServerProcess
SDM
Internet Graphics Server
Database Processes Database
SPOF
ABAP ENQ
ABAP MSG
SPOF
SC
S
Java ENQ
Java MSG
Single Point of Failure (SPOF)– Message Server– Enqueue Server
High Availability means SPOF elimination– e.g. by using Hardware Cluster
Database high availability can be assured by Clustering as well
© SAP AG 2006, XI Operations / Andreas Stolz / 6
High Availability Architecture I
Cluster Group
Cluster Group
Add-In Central Instance
WebA
SA
BA
P
ABAPDispatcher
WorkProcess
Gateway
Internet Connection Manager
WebA
S Java
JavaDispatcher
ServerProcess
SDM
Internet Graphics Server
ABAP ENQ
ABAP MSG
SC
S
Java ENQ
Java MSG
Database Processes Database Database Processes
Add-In Central Instance
WebA
SA
BA
P
ABAPDispatcher
WorkProcess
Gateway
Internet Connection Manager
WebA
S Java
JavaDispatcher
ServerProcess
SDM
Internet Graphics Server
ABAP ENQ
ABAP MSG
SC
S
Java ENQ
Java MSG
© SAP AG 2006, XI Operations / Andreas Stolz / 7
High Availability Architecture I
Complete Central Instance in a Cluster Group– WebAS ABAP Central System Services are part of the Central Instance
Switch over time equals startup time of Central InstanceSupported HA architecture up to NW04s SP08
© SAP AG 2006, XI Operations / Andreas Stolz / 8
High Availability Architecture II
Cluster Group
Cluster Group
Add-In “Central” Instance
WebA
SA
BA
P
ABAPDispatcher
WorkProcess
Gateway
Internet Connection Manager
WebA
S Java
JavaDispatcher
ServerProcess
SDM
Internet Graphics Server
AS
CS
ABAP ENQ
ABAP MSG
SC
S
Java ENQ
Java MSG
Database Processes
Database
Add-In “Dialog” Instance
WebA
SA
BA
P
ABAPDispatcher
WorkProcess
Gateway
Internet Connection Manager
WebA
S Java
JavaDispatcher
ServerProcess
Internet Graphics ServerA
SC
S
ABAP ENQ
ABAP MSG
SC
S
Java ENQ
Java MSG
Database Processes
© SAP AG 2006, XI Operations / Andreas Stolz / 9
High Availability Architecture II
Separation of the WebAS ABAP Central Services into an own ASCS instanceDefault HA architecture for NW04s Only SAP Central Services (ASCS and SCS) need to switch in case of failover– Low switch-over time
Central instance hosts SDMUsage Type PI supports this architecture from SPS08 on– SAP Note: 853510 – Release Restr.: Usage Type PI of SAP NetWeaver 2004s
© SAP AG 2006, XI Operations / Andreas Stolz / 10
Scaled Landscape
Add-In Central Instance
WebA
SA
BA
P
ABAPDispatcher
WorkProcess
Gateway
Internet Connection Manager
WebA
S Java
JavaDispatcher
ServerProcess
SDM
Internet Graphics Server
Database Processes Database
Add-In Dialog Instance
WebA
SA
BA
P
ABAPDispatcher
WorkProcess
Gateway
Internet Connection Manager
WebA
S Java
JavaDispatcher
ServerProcess
SDM
Internet Graphics Server
SPOF
ABAP ENQ
ABAP MSG
SPOF
SC
S
Java ENQ
Java MSG
1 to many
Database Client
Expected Resource Consumption could not be handled by single hardwareExtending System Resources by adding Instances instead of moving to more powerful hardwareNetWeaver 2004(s) Add-In installations scale up using Add-In dialog instancesUnless configured explicitly each instance is configured the same from the Process Integration point of view
© SAP AG 2006, XI Operations / Andreas Stolz / 11
Scaled Landscape / Exchange Profile Issue
Add-In Central Instance
WebA
SA
BA
P
Integration Server
Internet Connection Manager
ABAP ENQ ABAP MSG
SC
S Java MSGJava ENQ
WebA
SJava
Business Process Engine
Exchange Profile
Integration Builder
Runtime Workbench
Adapter Engine
Add-In Dialog Instance
WebA
SA
BA
P
Integration Server
Internet Connection Manager
WebA
SJava
Business Process Engine
Exchange Profile
Integration Builder
Runtime Workbench
Adapter Engine
Integration Builder Client
RWB Client
Up to NW04s SP8 PI has SPOFs for– Exchange Profile– Integration Builder– Runtime Workbench (Alerts)
Therefore Central Instance availability is crucial and ASCS could not be supportedLimitation up to – NW04 SPS 17– NW04s SPS 08
© SAP AG 2006, XI Operations / Andreas Stolz / 12
Exchange Profile Adaptation
Exchange Profile connection to WebAS ABAP could use load balancing (Message Server, Logon Group)New Exchange Profile parameters:– com.sap.aii.connect.directory.mshost– com.sap.aii.connect.directory.mshttp(s)port– com.sap.aii.connect.integrationserver.r3.group– com.sap.aii.connect.integrationserver.r3.mshost– com.sap.aii.connect.integrationserver.r3.r3name– com.sap.aii.connect.repository.mshost– com.sap.aii.connect.repository.mshttp(s)port– com.sap.aii.connect.rwb.r3.group– com.sap.aii.connect.rwb.r3.mshost– com.sap.aii.connect.rwb.r3.r3name– com.sap.aii.rwb.server.centralmonitoring.r3.group– com.sap.aii.rwb.server.centralmonitoring.r3.mshost– com.sap.aii.rwb.server.centralmonitoring.r3.r3name
© SAP AG 2006, XI Operations / Andreas Stolz / 13
Scaled Landscape – Messaging
Add-In Central Instance
WebA
SA
BA
P
Integration Server
Internet Connection Manager
ABAP ENQ ABAP MSG
SC
S Java MSGJava ENQ
WebA
SJava
Business Process Engine
Exchange Profile
Integration Builder
Runtime Workbench
Adapter Engine
Add-In Dialog Instance
WebA
SA
BA
P
Integration Server
Internet Connection Manager
WebA
SJava
Business Process Engine
Exchange Profile
Integration Builder
Runtime Workbench
Adapter Engine
SAP Web Dispatcher
(Load Balancer)http http
SenderSystem
SenderSystem
IDoc/RFC
retrieving list of available instances
IDoc/RFC
http
© SAP AG 2006, XI Operations / Andreas Stolz / 14
Scaled Landscape – Adaptations for Adapter Engine
Assignment to PI Domain via Exchange ProfileHostname, either– Web AS Java hostname or– value of parameter
SLD.selfregistration.hostname
Hostname used as– target URL for messages being
processed by the Adapter Engine
– target URL in Runtime Workbench
- Adapter Component Monitoring- Adapter Message Monitoring
© SAP AG 2006, XI Operations / Andreas Stolz / 15
Scaled Landscape – Adaptations for Integration Engine
Assignment to PI Domain via Exchange ProfilePipeline URL defined in the Integration Server’s Business System in the System Landscape DirectoryHostname used as– target URL for messages being
received by the Adapter Engine– Integration Server Pipeline URL
read by Application Systems if synchronized with SLD
© SAP AG 2006, XI Operations / Andreas Stolz / 16
Summary
System Landscape Architecture is driven by different needs like availability, resource consumption, network securityThe Landscape Architecture affects the Process Integration configuration– Exchange Profile parameters– Service Users, especially if a central System Landscape Directory is used
It is crucial that the System Landscape Architecture and the Process Integration configuration is described in very detail.– Responsibilities, contact persons– Application servers, hostnames, domains– SLD strategy– All service users configured– “Special” configurations, e.g. adapters disabled on single application servers
© SAP AG 2006, XI Operations / Andreas Stolz / 17
Documentation
High Availability– service.sap.com/ha– service.sap.com/nw04operation → SAP XI
- High Availability Guide – SAP XI 3.0- Tuning Guide – SAP XI 3.0
SLD Notes– 768148 Using a separate SLD for XI– 720717 Reduce the number of System Landscape Directories (SLD)– 936318 Dividing a SLD instance– 935474 Consolidate SLD instances– How To ... Handle the SLD for SAP XI
XI– 853510 Release Restr.: Usage Type PI of SAP NetWeaver 2004s– 951910 NW2004s High Availability Usage Type PI
© SAP AG 2006, XI Operations / Andreas Stolz / 20
User administration and authentication
User StoreStandard: Users are maintained in the SAP NetWeaver AS ABAP (AS-ABAP) user storeCan also be integrated with LDAP based user administration
Certificate StoreXI and RNIF protocols support message level security based on digital signaturesRNIF protocol additionally supports encryptionThe required certificates to be used need to be entered into the key store of the SAP NetWeaver AS Java (AS-Java) engineIn the Integration Directory these certificates are referred to by the name of the key store view and the certificate nameRecommended to store CA certificates in the TrustedCAs view
© SAP AG 2006, XI Operations / Andreas Stolz / 21
Web AS Add-In Installation User Concept I
Web AS Java uses one client of its Web AS ABAP as its user masterFor PI only– Roles defined in Web AS
ABAP are available as Groups in Web AS Java
– PI’s Web AS Java components authorization concept is based on Web AS ABAP roles
© SAP AG 2006, XI Operations / Andreas Stolz / 22
Web AS Add-In Installation User Concept I
Web AS Java uses one client of its Web AS ABAP as its user master.Connection data could be found in the UME Provider service, e.g. in the Visual Administrator– ume.r3.connection.master
Authentication data is read during runtime via RFC
© SAP AG 2006, XI Operations / Andreas Stolz / 23
Communication & Service Users - Example
ABAP
Cache
J2EE
Adapter Engine
SLD
Integration Builder (IR, ID)
Runtime Workbench
XI Tools
Mapping runtimeIntegration EnginePIISUSER
PIAPPLUSER PIAPPLUSERPIAFUSER
PIDIRUSER
PIISUSERPIDIRUSER
•Cache Update
•Messaging
User and Connections are read from the Exchange ProfilePIAPPLUSER should only be used as a template!For each Application System connected create an own Service user to send messages to the Integration Server as a copy of PIAPPLUSER.
© SAP AG 2006, XI Operations / Andreas Stolz / 24
Service Users
PIREPUSER – Integration Builder DesignSLD RequestsPIDIRUSER – Integration Builder ConfigurationSLD Requests, Integration Builder Design Requests, Cache UpdatePIISUSER – Integration ServerSLD Requests, Messaging to Adapter Engine, Cache UpdatePIAFUSERSLD Requests, Messaging to Integration ServerPIAPPLUSER – Application SystemConnection to PIPIRWBUSER – Runtime Workbench UserCommunication to all PI componentsPILDUSER – Exchange ProfileConnection to Web AS ABAP data store
© SAP AG 2006, XI Operations / Andreas Stolz / 25
Single / Standalone System Landscape Directory
PI DEV PI CONS PI PROD
SLD
• PIREPUSER • PIDIRUSER• PIISUSER• PIRWBUSER• PIAFUSER• PILDUSER• PIAPPLUSER
• PIREPUSER • PIDIRUSER• PIISUSER• PIRWBUSER• PIAFUSER• PILDUSER• PIAPPLUSER
• PIREPUSER • PIDIRUSER• PIISUSER• PIRWBUSER• PIAFUSER• PILDUSER• PIAPPLUSER
• CONSREPUSER • CONSDIRUSER• CONSISUSER• CONSRWBUSER• CONSAFUSER• CONSLDUSER• CONSAPPLUSER
• PRODREPUSER • PRODDIRUSER• PRODISUSER• PRODRWBUSER• PRODAFUSER• PRODLDUSER• PRODAPPLUSER
By default each PI system uses the same set of service usersIf a single SLD is used, the password for all these service users MUST be the same in all connected PI systemsSolution:Define a new set of service users for each PI system– Service users must be consistently maintained in every PI system– ALL service users must be created in the SLD
© SAP AG 2006, XI Operations / Andreas Stolz / 26
Limit Authorization on PI Content Objects
By default any PI content developer or configurator can modify any object in the Integration Builder Design of ConfigurationIn distributed teams or in a shared PI environment it might be necessary to limit authorization for a developer or a group of developers to only one Software Component or objects within a Software Component or to specific Configuration Objects.In the Integration Builder Design and Configuration specific roles can be created. Objects and authorization on these objects can be added to these roles.
© SAP AG 2006, XI Operations / Andreas Stolz / 27
Limit Authorization on PI Content Objects
Create a new role in the Integration Builder Design– Add Object Types of any Software Component and Namespace
Create a new role in the Integration Builder Configuration– Add Configuration Objects and Collaboration Agreements
Enable usage of Integration Builder roles in Exchange ProfileAssign users to the newly created Integration Builder roles– Create dummy roles in Web AS ABAP, these roles are then available as
groups in Web AS Java– Assign users to these roles– Assign the Integration Builder roles to the above groups in Web AS Java– Assign unrestricted roles to Super Users
© SAP AG 2006, XI Operations / Andreas Stolz / 30
Enable Integration Builder roles in Exchange Profile
Integration Builder – Integration Builder RepositoryParameter com.sap.aii.util.server.auth.activation to true
Integration Builder – Integration Builder DirectoryParameter com.sap.aii.util.server.auth.activation to true
Authentication and AuthorizationNetwork TopologyNetwork and Transport Layer SecurityMessage Level Security
© SAP AG 2006, XI Operations / Andreas Stolz / 35
Infrastructure Security - Secure Network Topology
Internet Outer DMZ
Proxies SAP NetWeaver AS
Inner DMZ
Internal workstation network
High security area
Applicationserver farm
FI
SRM
…
…
…
© SAP AG 2006, XI Operations / Andreas Stolz / 36
Architecture I
Internet DMZ High security area
Applicationserver farm
XI
…
…
…
ApplicationGateway(Reverse Proxy)
•Minimal Security requirement for communication with partners•Secure network protocols required•Application gateway used for inbound and outbound communication
•Internet Proxy for outbound http based communication•Reverse Proxy for inbound http based communication•SMTP gateway for inbound and outbound mail
© SAP AG 2006, XI Operations / Andreas Stolz / 37
Architecture II
Internet DMZ High security area
Applicationserver farm
XI
…
…
…
ApplicationGateway
DecentralAdapter Engine
•Intermediate Security requirement for communication with partners•Secure network protocols required•Decentral Adapter Engine in DMZ filters incoming message by
•Access Control Lists•Sender Agreements
© SAP AG 2006, XI Operations / Andreas Stolz / 38
Architecture III
Internet DMZ High security area
Applicationserver farm
XI
…
…
…
ApplicationGateway XI
ContentGateway
PCK
•High Security requirement for communication with partners•Secure network protocols required•Either XI, PCK, or 3rd party content gateway used
•schema / payload validation in DMZ•change of transport protocol
© SAP AG 2006, XI Operations / Andreas Stolz / 40
Network and Communication Security
HTTP and SSLAll PI runtime components support encryption of the HTTP data stream using SSLServer or Mutual Authentication– Certificate must be installed on the server component based on X.509 to enable HTTPs.– HTTP server identifies itself with a certificate that is to be verified by the client– HTTP client identifies itself with a certificate that is to be verified by the server
Requires that SAP Cryptographic Library is installed on the AS (ABAP and Java)Enabling SSL for ABAP and Java have different proceduresSSL can also be configured for technical (internal) PI communication like cache updates and repository access in the directory
RFC and SNCConnections between SAP components can be secured by SNCSNC supports three levels of security protection– Authentication only– Integrity protection– Confidentiality protection
WebAS security guide explains how to set up SNC
© SAP AG 2006, XI Operations / Andreas Stolz / 41
SSL and SNC for secure connections
Secure connection possible between the followingXI Internal Communication– Configuration and Cache updates– Between Adapters Engine and Integration Server
Messaging– Between business systems and Integration Server– Between PCK and Integration Server– Between business systems and adapters
© SAP AG 2006, XI Operations / Andreas Stolz / 42
Enabling SSL – Web Application Server ABAP
Download and install the SAP Cryptographic LibraryMaintain Profile Parameters– ssl/ssl_lib = full qualified path to sapcrypto.dll / libsapcrypto.so– sec/libsapsecu = full qualified path to sapcrypto.dll / libsapcrypto.so– ssf/ssfapi_lib = full qualified path to sapcrypto.dll / libsapcrypto.so– ssf/name = SAPSECULIB
Create the SSL Server Personal Security Environment (PSE)– Generate a Certificate Signing Request (CSR) for that PSE and send it to a
Certification Authority (CA)
Import the CA’s trusted root CertificateImport the Certificate request response into the SSL Server PSEhelp.sap.com/nw04 → SAP NetWeaver → Security → Network and Transport Layer Security → Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP
© SAP AG 2006, XI Operations / Andreas Stolz / 43
Enabling SSL – Web Application Server Java
Download and Install the SAP Java Cryptographic ToolkitCreate the Server’s Key Pair to use for SSL– Generate a Certificate Signing Request (CSR) for that Key Pair and send it to a
Certification Authority (CA)
Import the CA’s trusted root CertificateImport the Certificate request responsehelp.sap.com/nw04 → SAP NetWeaver → Security → Network and Transport Layer Security → Configuring the Use of SSL on the SAP J2EE Engine
© SAP AG 2006, XI Operations / Andreas Stolz / 44
Enabling SNC - Checklist
Download and install the SAP Cryptographic LibraryCreate the Personal Security Environments (PSE)– Web Applications Server– Clients– Credentials for PSE files must be set for the user which starts the Web
Application Server
SNC specific configurations
© SAP AG 2006, XI Operations / Andreas Stolz / 45
SNC Configuration Web Application Server
Download and install the SAP Cryptographic LibraryEnvironment Variables must be defined for both the Web AS ABAP and Java– SNC_LIB points to sapcrypto.dll– SECUDIR points to the file system where the PSEs are stored
Additionally, Profile parameters must be set for Web AS ABAP– ssf/name = SAPSECULIB– ssf/ssfapi_lib= full qualified path to sapcrypto.dll / libsapcrypto.so– sec/libsapsecu = full qualified path to sapcrypto.dll / libsapcrypto.so– ssl/ssl_lib = full qualified path to sapcrypto.dll / libsapcrypto.so– snc/enable = 1– snc/gssapi_lib = full qualified path to sapcrypto.dll / libsapcrypto.so– snc/identity/as = p:<PSE’s DN>– plus additional parameters defining the protection level and logon acceptance behavior
Create the Personal Security Environments (PSE)– Web Applications Server– Clients– Credentials for PSE files must be set for the user which starts the Web Application Server
© SAP AG 2006, XI Operations / Andreas Stolz / 46
Transport Level Security
Transport Protocol/ Transport Security
Authentication Mechanism
XI Protocol HTTP / HTTPs (SSL) Basic, Client CertificateBasic, Client CertificateBasic, Client CertificateBasic, Client Certificate
Basic, Client CertificateBasic, Client Certificate
Basic, CRAM-MD5
Basic, Client Certificate
Basic, Client Certificate
Basic, Client Certificate
CIDX HTTP / HTTPs (SSL) Basic, Client Certificate
IDoc RFC / SNC
RFC RFC / SNC
Plain HTTP HTTP / HTTPs (SSL)
File/FTP FTP / FTPs (SSL/TLS)
SOAP HTTP / HTTPs (SSL)
SMTP / HTTPs (SSL) (Receiver only)
Mail SMTP POP3, IMAP4 / HTTPs (SSL)
Marketplace HTTP / HTTPs (SSL)
RNIF 2.0 HTTP / HTTPs (SSL)
RNIF 1.1 HTTP / HTTPs (SSL)
Supported by
Levels of Security
© SAP AG 2006, XI Operations / Andreas Stolz / 48
Access control list
Restrict access to the runtime environmentfor sender services of type Business Service or Business Systemfor interfaces of these sender services
Restrict access to particular (service) users
Check authorization at runtime
Configure access control in the Integration DirectorySender service: Specify authorized users in the configuration of the corresponding (sender) serviceInterface: Specify authorized users in the configuration of the relevant sender agreement which contains the interface in the object key
© SAP AG 2006, XI Operations / Andreas Stolz / 49
Access Control Using Assigned Users
SenderSystem PI
Validates the sender user information against the Business System’s assigned users.
Validates the sender user information against the Sender Agreement’s assigned users for specific Interfaces
© SAP AG 2006, XI Operations / Andreas Stolz / 50
Access Control Using Assigned Users
For Sender Business Systems and Interfaces access control can berestricted to particular service users.– Service Users must be created in the Integration Server (PIAPPLUSER)– In the Integration Builder Configuration the Service User must be assigned to
- Business System- Sender Agreement
Supported Adapter Types– XI Adapter– Plain HTTP Adapter– RFC Adapter– IDoc Adapter– SOAP Adapter– RNIF (RNIF Adapter 1.1 and RNIF Adapter 2.0)– CIDX– SAP Business Connector Adapter– Marketplace Adapter
© SAP AG 2006, XI Operations / Andreas Stolz / 51
Message Level Security - Highlights
Message level security enabled through the use of digital signatures and encryption in XI 3.0
Digital signatures authenticate sending partner and ensure dataintegrity
Adds security controls to communication level security that arerequired for B2B communication
Message level security for XI 3.0 protocol and SOAP adapter isbased on the Web Services Security (WS-Security) standard
RNIF 2.0 adapter employs the S/MIME standard
Encryption ensures that the message content is confidential
© SAP AG 2006, XI Operations / Andreas Stolz / 52
Archiving secured messages
For non-repudiation purposes, secured messages are archived in the non repudiation store
For each secured message the following data is storedThe raw messageSecurity policy as configured in the directoryReferences to certificates in the keystoreIdentification of the certification used
The archive can be monitored using the Runtime Workbench
Non repudiation archive only available for the RNIF protocol
© SAP AG 2006, XI Operations / Andreas Stolz / 53
Certificate Store
Message-level security (MLS) processing takes place in SAP NetWeaver AS Java stack
Integration Server security processing makes web service call to AS-Java stack for MLS
Certificates of partners, CAs, etc. to be used must be created orimported in keystore of AS-Java
Integration Directory – references to keystore certificates madevia keystore view and entry name
CA certificates should be stored in TrustedCAs predefined view
© SAP AG 2006, XI Operations / Andreas Stolz / 54
Message Level Security
Signature Non-Repudiation
of origin
Non-Repudiation
of receipt
Encryption
CIDX PKCS#7
Technology
XI protocol WS-Security
SOAP WS-Security
S/MIMEMail S/MIME
RNIF 2.0 S/MIME
RNIF 1.1 PKCS#7
Supported by
Levels of Security
© SAP AG 2006, XI Operations / Andreas Stolz / 55
Message Level Security
Signature Non-Repudiation
of origin
Non-Repudiation
of receipt
Encryption
CIDX PKCS#7
Technology
XI protocol WS-Security
SOAP WS-Security
S/MIMEMail S/MIME
RNIF 2.0 S/MIME
RNIF 1.1 PKCS#7
Supported by
Levels of Security
© SAP AG 2006, XI Operations / Andreas Stolz / 56
Summary
User Management and Authorizations for Process Integration is based on SAP NetWeaver Add-In Installation. User and Roles defined in WebAS ABAP are available as User and Groups in WebAS Java.
Authorization can easily extended to cover Integration Builder Content objects as well.
Process Integration makes use of SAP NetWeaver Application Servers Security Infrastructure (SSL, SNC, Keystore) for Secure Connections and Message Level Security
Access Control Lists can be used to restrict access to Process Integration for sender systems or sender interfaces
© SAP AG 2006, XI Operations / Andreas Stolz / 57
Documentation
Network and Transport Layer Security– help.sap.com/nw04 → SAP NetWeaver → Security → Network and Transport
Layer Security– service.sap.com/security → Security in Detail→ Infrastructure Security →
SNC’s User Guide– service.sap.com/security → Security in Detail→ Infrastructure Security →
TCP/IP Ports Used by SAP Applications
Single Sign-On– How To ... Enable Single Sign-On (SSO) for SAP XI 3.0
Service User– 936093 XI 7.0: Change passwords of XI service users
SLD Notes– 768148 Using a separate SLD for XI
© SAP AG 2006, XI Operations / Andreas Stolz / 59
Motivation
Monitoring is a crucial part of an Operation ConceptMonitoring should cover– Availability of your Landscape Components– Alert error situations
The following Monitoring Tools are available for the Exchange Infrastructure 3.0– CCMS Monitoring– Alert Framework– Runtime Workbench
© SAP AG 2006, XI Operations / Andreas Stolz / 60
Monitoring Concept
CCMS Alert MonitorAvailability ComponentsProcess Integration alerts structured by Error Category– Alerts could not be assigned to scenarios
Alert Framework and Message based AlertingAssignment of Alerts to ScenariosAlerts for Adapter problemsEscalation processes possible
© SAP AG 2006, XI Operations / Andreas Stolz / 61
Process Integration Monitoring Features
PMI free AlertingNW04 SP14 and NW04sSupports NetWeaver Search and Classification for payload searchNW04 SP15 and NW04s SP6New CCMS monitor template for Business Process EngineNW04 SP16 and NW04s SR1Channel MonitoringNW04 SP17 and NW04s SP8Planned: WebService Interface for starting and stopping Communication channelsPlanned: Communication Channel SchedulerPlanned: Payload Editor
© SAP AG 2006, XI Operations / Andreas Stolz / 62
Process Integration and CCMS Alert Monitor
Easy integration of Process Integration into CCMS Alert Monitor– Integration Engine– Business Process Engine– Adapter Engine
Pre-defined Monitor Template availableEasy Configuration– CCMS Monitoring enabled by default– CCMS Alert Monitor configuration through System Group– Adapter Engine integrated via SAPCCMSR agent
© SAP AG 2006, XI Operations / Andreas Stolz / 63
XI Monitoring Template
Access PI’s CCMS Monitoring template by running either TC RZ20 or TC S_B6A_52000011 in folder “Exchange Infrastructure: Monitoring” of personal user menu.
© SAP AG 2006, XI Operations / Andreas Stolz / 64
Alert Framework (ALM) and PI
Using the Alert Framework PI can generate Alerts for specific Sender / Receiver / Interface combinations (Alert Rules).Different contact groups can be alerted based on Alert Categories. Alert Rules are assigned to Alert Categories.The Alert Framework is a standard NetWeaver functionality. Alerts can be delivered using several channels, like Email, SMS,Pager (SAPConnect).As a prerequisite End-to-End Monitoring (Process Monitoring Infrastructure PMI) must be configured– Until NW 04 SP 13 including, from SP 14 on the Alert generation does
not depend on PMI anymore
© SAP AG 2006, XI Operations / Andreas Stolz / 65
Alert Categories I
Alert Categories are container for some kind of alerts. Additional information like alert texts and subsequent activities as well as recipient lists are maintained per Alert Category.
In the Runtime Workbench in section Alert Configuration press the button Create Alert Category. On the following screen maintain an Alert Category.
© SAP AG 2006, XI Operations / Andreas Stolz / 66
Alert Categories II
Container Elements for various Message Header information are available for PI Alerts. These Container Elements are filled at runtime with Message specific information and are used within the Alert‘s short and long text, e.g.– Container Element SXMS_MSG_GUID returns the Message ID– Container Element SXMS_FROM_INTERFACE returns the Sender
Interface
Subsequent Activities for PI Alerts by default contain links for the resp. message to the – Message Monitoring– End-to-End Monitoring
Recipients could be identified – as Fixed Users– via User Roles– via Self-Subscription based on User Roles
© SAP AG 2006, XI Operations / Andreas Stolz / 67
Alert Rules
Alert Rules define the error situation which raises a specific alert. One Alert Category can contain one or many Alert Rules.
In the Runtime Workbench in section Alert Configuration select a Alert Category. Define an Alert Rule and add it to the Alert Category.
© SAP AG 2006, XI Operations / Andreas Stolz / 69
Indexed Search with TRex – Motivation
Payload searchIn many cases – Use application key attributes to search for messages– Enter e.g. “OrderID” to check whether an order was processed
Efficient search for messagesTREX is an efficient search engine, built to work on high data volumes– Existing search mechanisms can be used
© SAP AG 2006, XI Operations / Andreas Stolz / 70
Indexed Search with TRex – Realization
Integration in Runtime WorkbenchInclude monitoring of all ABAP and Java components within the system landscapeOffer Index administration within RWBIntegrate index-based search in regular message monitoring
Use of TREX search engineTREX is an already existing SAP search engineTREX is part of SAP NetWeaver
© SAP AG 2006, XI Operations / Andreas Stolz / 71
Channel Monitoring
New with NW04 SP17 and NW04s SP8Used for monitoring and administrating communication channels– Start / Stop channels– Monitor channels for errors
Access via – Runtime Workbench– Component Monitor– Adapter Engine– Communication Channel
Monitor
© SAP AG 2006, XI Operations / Andreas Stolz / 72
Summary
Easy integration of Process Integration into SAP NetWeaver monitoring infrastructure
Difference between CCMS Alert Monitor and Runtime Workbench Alerts
Structured by Error Category (CCMS)Message based / assignment to scenarios (RWB Alerts)
TRex is used for searching the payload
Communication Channel Monitor available for administration and monitoring of communication channels
© SAP AG 2006, XI Operations / Andreas Stolz / 73
Documentation
How To Guides– How To ... Monitor Exchange Infrastructure 3.0– How To ... Monitor Integration Processes (ccBPM)
SAP Notes– 634771 GRMG Customizing File for XI CCMS Heartbeat– 913858 XI3.0 Alerting: Troubleshooting
© SAP AG 2006, XI Operations / Andreas Stolz / 76
Archiving and Deleting Messages
To avoid database growth XML Messages need to be deleted on a regular basisSome Messages must be archived before deletion– For legal reasons– If Messages are canceled manually because of serious error situation, to
record that the EO delivery is broken
Messages need to be archived and deleted on both the IntegrationEngine and the Adapter Engine
© SAP AG 2006, XI Operations / Andreas Stolz / 77
Define Interfaces for Archiving
Define Interfaces for Archiving– Interfaces defined for archiving
could not be deleted beforehand– All other interfaces could be
deleted if they are successfully processed
– Manually canceled messages must be archived before deletion. It is not necessary to define interfaces for manually canceled messages. They are archived in any case during the archiving job.
Transaction SXMB_ADM– Define Interfaces for Archiving
and Retention Periods
© SAP AG 2006, XI Operations / Andreas Stolz / 78
Define Retention Periods
Define Retention Periods for– asynchronous messages
awaiting deletion or archiving– synchronous messages with or
without errors awaiting deletion– history entries for deleted
messages
Transaction SXMB_ADM– Define Interfaces for Archiving
and Retention Periods
© SAP AG 2006, XI Operations / Andreas Stolz / 79
Schedule Archiving and Delete Jobs (Integration Engine)
Jobs for Archiving and Deletion in the Integration Engine need to be scheduledTransaction SXMB_ADM– Schedule Archiving Jobs– Schedule Delete Jobs
© SAP AG 2006, XI Operations / Andreas Stolz / 80
Schedule Archiving and Delete Jobs (Adapter Engine)
Jobs for Archiving and Deletion in the Adapter Engine need to be scheduledRuntime Workbench– Component Monitoring– Adapter Engine– Background Processing
© SAP AG 2006, XI Operations / Andreas Stolz / 82
CMS Transport - Basics
Change Management Service (CMS) is part of SAP Netweaver Java Development Infrastructure (SAP NWDI)
CMS is comparable to ABAP Change and Transport System (CTS)CMS and CTS are not integrated. This means there is no automaticsynchronization between the twoCMS is closely integrated with the Design Time Repository (DTR), the Component Build Service (CBS), and the System Landscape Directory (SLD)CMS is optimized for the transport of source code changes within NWDI
© SAP AG 2006, XI Operations / Andreas Stolz / 83
CMS Transport - Basics
CMS is also used to transport Integration Builder content (XI content)
Change Management Service (CMS)SLD
IB DEV IB CONS IB PROD
REP
DIR
REP
DIR
REP
DIR
IS IS IS
© SAP AG 2006, XI Operations / Andreas Stolz / 84
CMS Transport – Basics – Conceptual Match
CMS:Optimized for the transport of source code changes within NWDIPartitioning by SWCVs
Integration Builder (Repository): Design tool for the development of design objectsPartitioning by SWCVsUses CMS mainly for the transport of design objects changes
=> Conceptual match
Integration Builder (Directory):Configuration toolNo partitioning by SWCVsUses CMS for the distribution of configuration data
=> Conceptual mismatch
© SAP AG 2006, XI Operations / Andreas Stolz / 85
Transport Basics – Versioning (Repository)
Repository transport is versioned No new object versions are created during importNon-manual post-processing is necessary after importImport order is not relevant
Source Repository Target Repository
Object Version 1
Object Version 2
Object Version 3
= Active VersionObject Version
Transport 1Object Version 2
Transport 2Object Version 1
Transport 3Object Version 3
Object Version 2
© SAP AG 2006, XI Operations / Andreas Stolz / 86
Transport Basics – Versioning (Directory)
Directory transport is not versionedNew object versions are created during importManual activation of imported objects is necessaryImport order is relevant
Source Directory
Object Version 1
Object Version 2
Target Directory
Object Version 3
= Active VersionObject Version
Transport 1
Object Version 1Object Version 1
Transport 2
Object Version 2
Transport 3Object Version 3
Object Version 2
© SAP AG 2006, XI Operations / Andreas Stolz / 87
CMS Transport – Basics – Advantages and Disadvantages
The use of CMS for XI content is optional. XI content can also be transported on the file system only or in parallel.
Advantages of using CMS:Traceability Quality assuranceConfirmation messages during process stepsTransport of always exactly defined partsAutomatization
Disadvantages:Installation effortMaintenance (user management, tracks,…)
© SAP AG 2006, XI Operations / Andreas Stolz / 88
CMS Transport – Basics – Tracks
Transport routes are defined by ‘tracks’A track consists of up to three systems, called DEV, CONS, and PRODA single track is defined for the transport of a specified set of SWCVA single track can be defined either for a Repository or a Directory transport but not for both at the same timeTracks can be connected to create transport routes with more than three systemsA track can have multiple successor tracks
IB DEV IB CONS 1 IB PROD
IB CONS 2Track 2for SWCV2 REP
Track 1for SWCV1
REP
REP
REP
© SAP AG 2006, XI Operations / Andreas Stolz / 89
Summary
XML Messages on the Integration Engine and the Adapter Engine must be archived (in some cases) and deleted to avoid database growth
SAP Change Management System (CMS) can be used to transport Integration Builder Design and Configuration Objects through the XI system landscape
© SAP AG 2006, XI Operations / Andreas Stolz / 90
THANK YOU FOR YOURATTENTION !
QUESTIONS – SUGGESTIONS – DISCUSSION
© SAP AG 2006, XI Operations / Andreas Stolz / 91
Copyright 2006 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
© SAP AG 2006, XI Operations / Andreas Stolz / 92
Copyright 2006 SAP AG. Alle Rechte vorbehalten
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® und SQL Server® sind eingetragene Marken der Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower und PowerPCsind Marken oder eingetragene Marken der IBM Corporation.
Adobe, das Adobe Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von Adobe Systems Inc. in den USA und/oder anderen Ländern.
ORACLE® ist eine eingetragene Marke der ORACLE Corporation.
UNIX®, X/Open®, OSF/1® und Motif® sind eingetragene Marken der Open Group.
Citrix®, das Citrix-Logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® und andere hier erwähnte Namen von Citrix-Produkten sind Marken von Citrix Systems, Inc.
HTML, DHTML, XML, XHTML sind Marken oder eingetragene Marken des W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
JAVA® ist eine eingetragene Marke der Sun Microsystems, Inc.
JAVASCRIPT® ist eine eingetragene Marke der Sun Microsystems, Inc., verwendet unter der Lizenz der von Netscape entwickelten und implementierten Technologie.
MaxDB ist eine Marke von MySQL AB, Schweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, und weitere im Text erwähnte SAP-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet.
Bei dieser Publikation handelt es sich um eine vorläufige Version, die nicht Ihrem gültigen Lizenzvertrag oder anderen Vereinbarungen mit SAP unterliegt. Diese Publikation enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts. SAP entsteht aus dieser Publikation keine Verpflichtung zu einer bestimmten Geschäfts- oder Produktstrategie und/oder bestimmten Entwicklungen. Diese Publikation kann von SAP jederzeit ohne vorherige Ankündigung geändert werden.
SAP übernimmt keine Haftung für Fehler oder Auslassungen in dieser Publikation. Des Weiteren übernimmt SAP keine Garantie für die Exaktheit oder Vollständigkeit der Informationen, Texte, Grafiken, Links und sonstigen in dieser Publikation enthaltenen Elementen. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts.
SAP haftet nicht für entstandene Schäden. Dies gilt u. a. und uneingeschränkt für konkrete, besondere und mittelbare Schäden oder Folgeschäden, die aus der Nutzung dieser Materialien entstehen können. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit.
Die gesetzliche Haftung bei Personenschäden oder Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinkszugreifen, unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über Internetseiten Dritter ab.