xi operations - adfahrer...©sap ag 2006, xi operations / andreas stolz / 2 learning objectives as a...

XI OperationsNordic SAP User Group

Andreas StolzNetWeaver RIG Expert, SAP AG

Walldorf, Nov. 2006

© SAP AG 2006, XI Operations / Andreas Stolz / 2

Learning Objectives

As a result of this workshop, you will be able to:Describe Process Integration system setup in regards to High Availability and ScalingUnderstand and adapt the Exchange Infrastructure’s User Management and Authorization conceptUnderstand how the NetWeaver Web Application Server’s Security Infrastructure is used within Process IntegrationDefine and implement a monitoring concept for Process IntegrationUnderstand Process Integration’s house keeping jobs

Monitoring

Operational Tasks

Architecture

Security


XI 3.0 Components in SAP Web AS 6.40

ABAP

ICMCentral Monitoring

Business Process Engine

JRFC

J2EE

Adapter Engine

HTTP(s)

HTTP(s)

OpenSQLfor Java

OpenSQLfor ABAP

SLD

Integration Builder (IR, ID)

Runtime Workbench

XI Tools

Mapping runtimeIntegration Engine


High Availability?

Add-In Central Instance

WebA

SA

BA

P

ABAPDispatcher

WorkProcess

Gateway

Internet Connection Manager

WebA

S Java

JavaDispatcher

ServerProcess

SDM

Internet Graphics Server

Database Processes Database

SPOF

ABAP ENQ

ABAP MSG

SPOF

SC

S

Java ENQ

Java MSG

Single Point of Failure (SPOF)– Message Server– Enqueue Server

High Availability means SPOF elimination– e.g. by using Hardware Cluster

Database high availability can be assured by Clustering as well


High Availability Architecture I

Cluster Group

Cluster Group


WebA

SA

BA

P

ABAPDispatcher

WorkProcess

Gateway


WebA

S Java

JavaDispatcher

ServerProcess

SDM


ABAP ENQ

ABAP MSG

SC

S

Java ENQ

Java MSG

Database Processes Database Database Processes


WebA

SA

BA

P

ABAPDispatcher

WorkProcess

Gateway


WebA

S Java

JavaDispatcher

ServerProcess

SDM


ABAP ENQ

ABAP MSG

SC

S

Java ENQ

Java MSG


High Availability Architecture I

Complete Central Instance in a Cluster Group– WebAS ABAP Central System Services are part of the Central Instance

Switch over time equals startup time of Central InstanceSupported HA architecture up to NW04s SP08


High Availability Architecture II

Cluster Group

Cluster Group

Add-In “Central” Instance

WebA

SA

BA

P

ABAPDispatcher

WorkProcess

Gateway


WebA

S Java

JavaDispatcher

ServerProcess

SDM


AS

CS

ABAP ENQ

ABAP MSG

SC

S

Java ENQ

Java MSG

Database Processes

Database

Add-In “Dialog” Instance

WebA

SA

BA

P

ABAPDispatcher

WorkProcess

Gateway


WebA

S Java

JavaDispatcher

ServerProcess

Internet Graphics ServerA

SC

S

ABAP ENQ

ABAP MSG

SC

S

Java ENQ

Java MSG

Database Processes


High Availability Architecture II

Separation of the WebAS ABAP Central Services into an own ASCS instanceDefault HA architecture for NW04s Only SAP Central Services (ASCS and SCS) need to switch in case of failover– Low switch-over time

Central instance hosts SDMUsage Type PI supports this architecture from SPS08 on– SAP Note: 853510 – Release Restr.: Usage Type PI of SAP NetWeaver 2004s

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=DISPL_TXT&_NNUM=00853510&_NLANG=E


Scaled Landscape


WebA

SA

BA

P

ABAPDispatcher

WorkProcess

Gateway


WebA

S Java

JavaDispatcher

ServerProcess

SDM


Database Processes Database

Add-In Dialog Instance

WebA

SA

BA

P

ABAPDispatcher

WorkProcess

Gateway


WebA

S Java

JavaDispatcher

ServerProcess

SDM


SPOF

ABAP ENQ

ABAP MSG

SPOF

SC

S

Java ENQ

Java MSG

1 to many

Database Client

Expected Resource Consumption could not be handled by single hardwareExtending System Resources by adding Instances instead of moving to more powerful hardwareNetWeaver 2004(s) Add-In installations scale up using Add-In dialog instancesUnless configured explicitly each instance is configured the same from the Process Integration point of view


Scaled Landscape / Exchange Profile Issue


WebA

SA

BA

P

Integration Server


ABAP ENQ ABAP MSG

SC

S Java MSGJava ENQ

WebA

SJava


Exchange Profile

Integration Builder

Runtime Workbench

Adapter Engine


WebA

SA

BA

P

Integration Server


WebA

SJava


Exchange Profile

Integration Builder

Runtime Workbench

Adapter Engine

Integration Builder Client

RWB Client

Up to NW04s SP8 PI has SPOFs for– Exchange Profile– Integration Builder– Runtime Workbench (Alerts)

Therefore Central Instance availability is crucial and ASCS could not be supportedLimitation up to – NW04 SPS 17– NW04s SPS 08


Exchange Profile Adaptation

Exchange Profile connection to WebAS ABAP could use load balancing (Message Server, Logon Group)New Exchange Profile parameters:– com.sap.aii.connect.directory.mshost– com.sap.aii.connect.directory.mshttp(s)port– com.sap.aii.connect.integrationserver.r3.group– com.sap.aii.connect.integrationserver.r3.mshost– com.sap.aii.connect.integrationserver.r3.r3name– com.sap.aii.connect.repository.mshost– com.sap.aii.connect.repository.mshttp(s)port– com.sap.aii.connect.rwb.r3.group– com.sap.aii.connect.rwb.r3.mshost– com.sap.aii.connect.rwb.r3.r3name– com.sap.aii.rwb.server.centralmonitoring.r3.group– com.sap.aii.rwb.server.centralmonitoring.r3.mshost– com.sap.aii.rwb.server.centralmonitoring.r3.r3name


Scaled Landscape – Messaging


WebA

SA

BA

P

Integration Server


ABAP ENQ ABAP MSG

SC

S Java MSGJava ENQ

WebA

SJava


Exchange Profile

Integration Builder

Runtime Workbench

Adapter Engine


WebA

SA

BA

P

Integration Server


WebA

SJava


Exchange Profile

Integration Builder

Runtime Workbench

Adapter Engine

SAP Web Dispatcher

(Load Balancer)http http

SenderSystem

SenderSystem

IDoc/RFC

retrieving list of available instances

IDoc/RFC

http


Scaled Landscape – Adaptations for Adapter Engine

Assignment to PI Domain via Exchange ProfileHostname, either– Web AS Java hostname or– value of parameter

SLD.selfregistration.hostname

Hostname used as– target URL for messages being

processed by the Adapter Engine

– target URL in Runtime Workbench

- Adapter Component Monitoring- Adapter Message Monitoring


Scaled Landscape – Adaptations for Integration Engine

Assignment to PI Domain via Exchange ProfilePipeline URL defined in the Integration Server’s Business System in the System Landscape DirectoryHostname used as– target URL for messages being

received by the Adapter Engine– Integration Server Pipeline URL

read by Application Systems if synchronized with SLD


Summary

System Landscape Architecture is driven by different needs like availability, resource consumption, network securityThe Landscape Architecture affects the Process Integration configuration– Exchange Profile parameters– Service Users, especially if a central System Landscape Directory is used

It is crucial that the System Landscape Architecture and the Process Integration configuration is described in very detail.– Responsibilities, contact persons– Application servers, hostnames, domains– SLD strategy– All service users configured– “Special” configurations, e.g. adapters disabled on single application servers


Documentation

High Availability– service.sap.com/ha– service.sap.com/nw04operation → SAP XI

- High Availability Guide – SAP XI 3.0- Tuning Guide – SAP XI 3.0

SLD Notes– 768148 Using a separate SLD for XI– 720717 Reduce the number of System Landscape Directories (SLD)– 936318 Dividing a SLD instance– 935474 Consolidate SLD instances– How To ... Handle the SLD for SAP XI

XI– 853510 Release Restr.: Usage Type PI of SAP NetWeaver 2004s– 951910 NW2004s High Availability Usage Type PI





http://service.sap.com/~sapdownload/011000358700001684302005E/HowToSLDandXI.pdf



Monitoring

Operational Tasks

Architecture

Security

User and AuthorizationsNetwork TopologyNetwork and Transport Layer SecurityAdapter Security


User administration and authentication

User StoreStandard: Users are maintained in the SAP NetWeaver AS ABAP (AS-ABAP) user storeCan also be integrated with LDAP based user administration

Certificate StoreXI and RNIF protocols support message level security based on digital signaturesRNIF protocol additionally supports encryptionThe required certificates to be used need to be entered into the key store of the SAP NetWeaver AS Java (AS-Java) engineIn the Integration Directory these certificates are referred to by the name of the key store view and the certificate nameRecommended to store CA certificates in the TrustedCAs view


Web AS Add-In Installation User Concept I

Web AS Java uses one client of its Web AS ABAP as its user masterFor PI only– Roles defined in Web AS

ABAP are available as Groups in Web AS Java

– PI’s Web AS Java components authorization concept is based on Web AS ABAP roles


Web AS Add-In Installation User Concept I

Web AS Java uses one client of its Web AS ABAP as its user master.Connection data could be found in the UME Provider service, e.g. in the Visual Administrator– ume.r3.connection.master

Authentication data is read during runtime via RFC


Communication & Service Users - Example

ABAP

Cache

J2EE

Adapter Engine

SLD

Integration Builder (IR, ID)

Runtime Workbench

XI Tools

Mapping runtimeIntegration EnginePIISUSER

PIAPPLUSER PIAPPLUSERPIAFUSER

PIDIRUSER

PIISUSERPIDIRUSER

•Cache Update

•Messaging

User and Connections are read from the Exchange ProfilePIAPPLUSER should only be used as a template!For each Application System connected create an own Service user to send messages to the Integration Server as a copy of PIAPPLUSER.


Service Users

PIREPUSER – Integration Builder DesignSLD RequestsPIDIRUSER – Integration Builder ConfigurationSLD Requests, Integration Builder Design Requests, Cache UpdatePIISUSER – Integration ServerSLD Requests, Messaging to Adapter Engine, Cache UpdatePIAFUSERSLD Requests, Messaging to Integration ServerPIAPPLUSER – Application SystemConnection to PIPIRWBUSER – Runtime Workbench UserCommunication to all PI componentsPILDUSER – Exchange ProfileConnection to Web AS ABAP data store


Single / Standalone System Landscape Directory

PI DEV PI CONS PI PROD

SLD

• PIREPUSER • PIDIRUSER• PIISUSER• PIRWBUSER• PIAFUSER• PILDUSER• PIAPPLUSER



• CONSREPUSER • CONSDIRUSER• CONSISUSER• CONSRWBUSER• CONSAFUSER• CONSLDUSER• CONSAPPLUSER

• PRODREPUSER • PRODDIRUSER• PRODISUSER• PRODRWBUSER• PRODAFUSER• PRODLDUSER• PRODAPPLUSER

By default each PI system uses the same set of service usersIf a single SLD is used, the password for all these service users MUST be the same in all connected PI systemsSolution:Define a new set of service users for each PI system– Service users must be consistently maintained in every PI system– ALL service users must be created in the SLD


Limit Authorization on PI Content Objects

By default any PI content developer or configurator can modify any object in the Integration Builder Design of ConfigurationIn distributed teams or in a shared PI environment it might be necessary to limit authorization for a developer or a group of developers to only one Software Component or objects within a Software Component or to specific Configuration Objects.In the Integration Builder Design and Configuration specific roles can be created. Objects and authorization on these objects can be added to these roles.


Limit Authorization on PI Content Objects

Create a new role in the Integration Builder Design– Add Object Types of any Software Component and Namespace

Create a new role in the Integration Builder Configuration– Add Configuration Objects and Collaboration Agreements

Enable usage of Integration Builder roles in Exchange ProfileAssign users to the newly created Integration Builder roles– Create dummy roles in Web AS ABAP, these roles are then available as

groups in Web AS Java– Assign users to these roles– Assign the Integration Builder roles to the above groups in Web AS Java– Assign unrestricted roles to Super Users


Integration Builder Design Roles


Integration Builder Configuration Roles


Enable Integration Builder roles in Exchange Profile

Integration Builder – Integration Builder RepositoryParameter com.sap.aii.util.server.auth.activation to true

Integration Builder – Integration Builder DirectoryParameter com.sap.aii.util.server.auth.activation to true


Assign Users to Integration Builder Roles I


Assign Users to Integration Builder Roles II

Authentication and AuthorizationNetwork TopologyNetwork and Transport Layer SecurityMessage Level Security


Infrastructure Security - Secure Network Topology

Internet Outer DMZ

Proxies SAP NetWeaver AS

Inner DMZ

Internal workstation network

High security area

Applicationserver farm

FI

SRM

…

…

…


Architecture I

Internet DMZ High security area


XI

…

…

…

ApplicationGateway(Reverse Proxy)

•Minimal Security requirement for communication with partners•Secure network protocols required•Application gateway used for inbound and outbound communication

•Internet Proxy for outbound http based communication•Reverse Proxy for inbound http based communication•SMTP gateway for inbound and outbound mail


Architecture II



XI

…

…

…

ApplicationGateway

DecentralAdapter Engine

•Intermediate Security requirement for communication with partners•Secure network protocols required•Decentral Adapter Engine in DMZ filters incoming message by

•Access Control Lists•Sender Agreements


Architecture III



XI

…

…

…

ApplicationGateway XI

ContentGateway

PCK

•High Security requirement for communication with partners•Secure network protocols required•Either XI, PCK, or 3rd party content gateway used

•schema / payload validation in DMZ•change of transport protocol


Network and Communication Security

HTTP and SSLAll PI runtime components support encryption of the HTTP data stream using SSLServer or Mutual Authentication– Certificate must be installed on the server component based on X.509 to enable HTTPs.– HTTP server identifies itself with a certificate that is to be verified by the client– HTTP client identifies itself with a certificate that is to be verified by the server

Requires that SAP Cryptographic Library is installed on the AS (ABAP and Java)Enabling SSL for ABAP and Java have different proceduresSSL can also be configured for technical (internal) PI communication like cache updates and repository access in the directory

RFC and SNCConnections between SAP components can be secured by SNCSNC supports three levels of security protection– Authentication only– Integrity protection– Confidentiality protection

WebAS security guide explains how to set up SNC


SSL and SNC for secure connections

Secure connection possible between the followingXI Internal Communication– Configuration and Cache updates– Between Adapters Engine and Integration Server

Messaging– Between business systems and Integration Server– Between PCK and Integration Server– Between business systems and adapters


Enabling SSL – Web Application Server ABAP

Download and install the SAP Cryptographic LibraryMaintain Profile Parameters– ssl/ssl_lib = full qualified path to sapcrypto.dll / libsapcrypto.so– sec/libsapsecu = full qualified path to sapcrypto.dll / libsapcrypto.so– ssf/ssfapi_lib = full qualified path to sapcrypto.dll / libsapcrypto.so– ssf/name = SAPSECULIB

Create the SSL Server Personal Security Environment (PSE)– Generate a Certificate Signing Request (CSR) for that PSE and send it to a

Certification Authority (CA)

Import the CA’s trusted root CertificateImport the Certificate request response into the SSL Server PSEhelp.sap.com/nw04 → SAP NetWeaver → Security → Network and Transport Layer Security → Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP


Enabling SSL – Web Application Server Java

Download and Install the SAP Java Cryptographic ToolkitCreate the Server’s Key Pair to use for SSL– Generate a Certificate Signing Request (CSR) for that Key Pair and send it to a

Certification Authority (CA)

Import the CA’s trusted root CertificateImport the Certificate request responsehelp.sap.com/nw04 → SAP NetWeaver → Security → Network and Transport Layer Security → Configuring the Use of SSL on the SAP J2EE Engine


Enabling SNC - Checklist

Download and install the SAP Cryptographic LibraryCreate the Personal Security Environments (PSE)– Web Applications Server– Clients– Credentials for PSE files must be set for the user which starts the Web

Application Server

SNC specific configurations


SNC Configuration Web Application Server

Download and install the SAP Cryptographic LibraryEnvironment Variables must be defined for both the Web AS ABAP and Java– SNC_LIB points to sapcrypto.dll– SECUDIR points to the file system where the PSEs are stored

Additionally, Profile parameters must be set for Web AS ABAP– ssf/name = SAPSECULIB– ssf/ssfapi_lib= full qualified path to sapcrypto.dll / libsapcrypto.so– sec/libsapsecu = full qualified path to sapcrypto.dll / libsapcrypto.so– ssl/ssl_lib = full qualified path to sapcrypto.dll / libsapcrypto.so– snc/enable = 1– snc/gssapi_lib = full qualified path to sapcrypto.dll / libsapcrypto.so– snc/identity/as = p:<PSE’s DN>– plus additional parameters defining the protection level and logon acceptance behavior

Create the Personal Security Environments (PSE)– Web Applications Server– Clients– Credentials for PSE files must be set for the user which starts the Web Application Server


Transport Level Security

Transport Protocol/ Transport Security

Authentication Mechanism

XI Protocol HTTP / HTTPs (SSL) Basic, Client CertificateBasic, Client CertificateBasic, Client CertificateBasic, Client Certificate

Basic, Client CertificateBasic, Client Certificate

Basic, CRAM-MD5

Basic, Client Certificate



CIDX HTTP / HTTPs (SSL) Basic, Client Certificate

IDoc RFC / SNC

RFC RFC / SNC

Plain HTTP HTTP / HTTPs (SSL)

File/FTP FTP / FTPs (SSL/TLS)

SOAP HTTP / HTTPs (SSL)

SMTP / HTTPs (SSL) (Receiver only)

Mail SMTP POP3, IMAP4 / HTTPs (SSL)

Marketplace HTTP / HTTPs (SSL)

RNIF 2.0 HTTP / HTTPs (SSL)

RNIF 1.1 HTTP / HTTPs (SSL)

Supported by

Levels of Security


Access control list

Restrict access to the runtime environmentfor sender services of type Business Service or Business Systemfor interfaces of these sender services

Restrict access to particular (service) users

Check authorization at runtime

Configure access control in the Integration DirectorySender service: Specify authorized users in the configuration of the corresponding (sender) serviceInterface: Specify authorized users in the configuration of the relevant sender agreement which contains the interface in the object key


Access Control Using Assigned Users

SenderSystem PI

Validates the sender user information against the Business System’s assigned users.

Validates the sender user information against the Sender Agreement’s assigned users for specific Interfaces


Access Control Using Assigned Users

For Sender Business Systems and Interfaces access control can berestricted to particular service users.– Service Users must be created in the Integration Server (PIAPPLUSER)– In the Integration Builder Configuration the Service User must be assigned to

- Business System- Sender Agreement

Supported Adapter Types– XI Adapter– Plain HTTP Adapter– RFC Adapter– IDoc Adapter– SOAP Adapter– RNIF (RNIF Adapter 1.1 and RNIF Adapter 2.0)– CIDX– SAP Business Connector Adapter– Marketplace Adapter


Message Level Security - Highlights

Message level security enabled through the use of digital signatures and encryption in XI 3.0

Digital signatures authenticate sending partner and ensure dataintegrity

Adds security controls to communication level security that arerequired for B2B communication

Message level security for XI 3.0 protocol and SOAP adapter isbased on the Web Services Security (WS-Security) standard

RNIF 2.0 adapter employs the S/MIME standard

Encryption ensures that the message content is confidential


Archiving secured messages

For non-repudiation purposes, secured messages are archived in the non repudiation store

For each secured message the following data is storedThe raw messageSecurity policy as configured in the directoryReferences to certificates in the keystoreIdentification of the certification used

The archive can be monitored using the Runtime Workbench

Non repudiation archive only available for the RNIF protocol


Certificate Store

Message-level security (MLS) processing takes place in SAP NetWeaver AS Java stack

Integration Server security processing makes web service call to AS-Java stack for MLS

Certificates of partners, CAs, etc. to be used must be created orimported in keystore of AS-Java

Integration Directory – references to keystore certificates madevia keystore view and entry name

CA certificates should be stored in TrustedCAs predefined view


Message Level Security

Signature Non-Repudiation

of origin

Non-Repudiation

of receipt

Encryption

CIDX PKCS#7

Technology

XI protocol WS-Security

SOAP WS-Security

S/MIMEMail S/MIME

RNIF 2.0 S/MIME

RNIF 1.1 PKCS#7

Supported by

Levels of Security


Summary

User Management and Authorizations for Process Integration is based on SAP NetWeaver Add-In Installation. User and Roles defined in WebAS ABAP are available as User and Groups in WebAS Java.

Authorization can easily extended to cover Integration Builder Content objects as well.

Process Integration makes use of SAP NetWeaver Application Servers Security Infrastructure (SSL, SNC, Keystore) for Secure Connections and Message Level Security

Access Control Lists can be used to restrict access to Process Integration for sender systems or sender interfaces


Documentation

Network and Transport Layer Security– help.sap.com/nw04 → SAP NetWeaver → Security → Network and Transport

Layer Security– service.sap.com/security → Security in Detail→ Infrastructure Security →

SNC’s User Guide– service.sap.com/security → Security in Detail→ Infrastructure Security →

TCP/IP Ports Used by SAP Applications

Single Sign-On– How To ... Enable Single Sign-On (SSO) for SAP XI 3.0

Service User– 936093 XI 7.0: Change passwords of XI service users

SLD Notes– 768148 Using a separate SLD for XI

http://service.sap.com/~sapdownload/011000358700000560652005E/HowToSSO_v016.pdf



Monitoring

Operational Tasks

Architecture

Security


Motivation

Monitoring is a crucial part of an Operation ConceptMonitoring should cover– Availability of your Landscape Components– Alert error situations

The following Monitoring Tools are available for the Exchange Infrastructure 3.0– CCMS Monitoring– Alert Framework– Runtime Workbench


Monitoring Concept

CCMS Alert MonitorAvailability ComponentsProcess Integration alerts structured by Error Category– Alerts could not be assigned to scenarios

Alert Framework and Message based AlertingAssignment of Alerts to ScenariosAlerts for Adapter problemsEscalation processes possible


Process Integration Monitoring Features

PMI free AlertingNW04 SP14 and NW04sSupports NetWeaver Search and Classification for payload searchNW04 SP15 and NW04s SP6New CCMS monitor template for Business Process EngineNW04 SP16 and NW04s SR1Channel MonitoringNW04 SP17 and NW04s SP8Planned: WebService Interface for starting and stopping Communication channelsPlanned: Communication Channel SchedulerPlanned: Payload Editor


Process Integration and CCMS Alert Monitor

Easy integration of Process Integration into CCMS Alert Monitor– Integration Engine– Business Process Engine– Adapter Engine

Pre-defined Monitor Template availableEasy Configuration– CCMS Monitoring enabled by default– CCMS Alert Monitor configuration through System Group– Adapter Engine integrated via SAPCCMSR agent


XI Monitoring Template

Access PI’s CCMS Monitoring template by running either TC RZ20 or TC S_B6A_52000011 in folder “Exchange Infrastructure: Monitoring” of personal user menu.


Alert Framework (ALM) and PI

Using the Alert Framework PI can generate Alerts for specific Sender / Receiver / Interface combinations (Alert Rules).Different contact groups can be alerted based on Alert Categories. Alert Rules are assigned to Alert Categories.The Alert Framework is a standard NetWeaver functionality. Alerts can be delivered using several channels, like Email, SMS,Pager (SAPConnect).As a prerequisite End-to-End Monitoring (Process Monitoring Infrastructure PMI) must be configured– Until NW 04 SP 13 including, from SP 14 on the Alert generation does

not depend on PMI anymore


Alert Categories I

Alert Categories are container for some kind of alerts. Additional information like alert texts and subsequent activities as well as recipient lists are maintained per Alert Category.

In the Runtime Workbench in section Alert Configuration press the button Create Alert Category. On the following screen maintain an Alert Category.


Alert Categories II

Container Elements for various Message Header information are available for PI Alerts. These Container Elements are filled at runtime with Message specific information and are used within the Alert‘s short and long text, e.g.– Container Element SXMS_MSG_GUID returns the Message ID– Container Element SXMS_FROM_INTERFACE returns the Sender

Interface

Subsequent Activities for PI Alerts by default contain links for the resp. message to the – Message Monitoring– End-to-End Monitoring

Recipients could be identified – as Fixed Users– via User Roles– via Self-Subscription based on User Roles


Alert Rules

Alert Rules define the error situation which raises a specific alert. One Alert Category can contain one or many Alert Rules.

In the Runtime Workbench in section Alert Configuration select a Alert Category. Define an Alert Rule and add it to the Alert Category.


Alert Subscription and Alert Inbox


Indexed Search with TRex – Motivation

Payload searchIn many cases – Use application key attributes to search for messages– Enter e.g. “OrderID” to check whether an order was processed

Efficient search for messagesTREX is an efficient search engine, built to work on high data volumes– Existing search mechanisms can be used


Indexed Search with TRex – Realization

Integration in Runtime WorkbenchInclude monitoring of all ABAP and Java components within the system landscapeOffer Index administration within RWBIntegrate index-based search in regular message monitoring

Use of TREX search engineTREX is an already existing SAP search engineTREX is part of SAP NetWeaver


Channel Monitoring

New with NW04 SP17 and NW04s SP8Used for monitoring and administrating communication channels– Start / Stop channels– Monitor channels for errors

Access via – Runtime Workbench– Component Monitor– Adapter Engine– Communication Channel

Monitor


Summary

Easy integration of Process Integration into SAP NetWeaver monitoring infrastructure

Difference between CCMS Alert Monitor and Runtime Workbench Alerts

Structured by Error Category (CCMS)Message based / assignment to scenarios (RWB Alerts)

TRex is used for searching the payload

Communication Channel Monitor available for administration and monitoring of communication channels


Documentation

How To Guides– How To ... Monitor Exchange Infrastructure 3.0– How To ... Monitor Integration Processes (ccBPM)

SAP Notes– 634771 GRMG Customizing File for XI CCMS Heartbeat– 913858 XI3.0 Alerting: Troubleshooting

http://service.sap.com/~sapdownload/011000358700004422742005E/XIMonitoringHowTo_01aSR.pdf

http://service.sap.com/~sapdownload/011000358700003141152005E/HowToMonitorccBPM.pdf



Monitoring

Operational Tasks

Architecture

Security

Content TransportArchiving and Deleting Messages


Archiving and Deleting Messages

To avoid database growth XML Messages need to be deleted on a regular basisSome Messages must be archived before deletion– For legal reasons– If Messages are canceled manually because of serious error situation, to

record that the EO delivery is broken

Messages need to be archived and deleted on both the IntegrationEngine and the Adapter Engine


Define Interfaces for Archiving

Define Interfaces for Archiving– Interfaces defined for archiving

could not be deleted beforehand– All other interfaces could be

deleted if they are successfully processed

– Manually canceled messages must be archived before deletion. It is not necessary to define interfaces for manually canceled messages. They are archived in any case during the archiving job.

Transaction SXMB_ADM– Define Interfaces for Archiving

and Retention Periods


Define Retention Periods

Define Retention Periods for– asynchronous messages

awaiting deletion or archiving– synchronous messages with or

without errors awaiting deletion– history entries for deleted

messages

Transaction SXMB_ADM– Define Interfaces for Archiving

and Retention Periods


Schedule Archiving and Delete Jobs (Integration Engine)

Jobs for Archiving and Deletion in the Integration Engine need to be scheduledTransaction SXMB_ADM– Schedule Archiving Jobs– Schedule Delete Jobs


Schedule Archiving and Delete Jobs (Adapter Engine)

Jobs for Archiving and Deletion in the Adapter Engine need to be scheduledRuntime Workbench– Component Monitoring– Adapter Engine– Background Processing

Content TransportArchiving and Deleting Messages


CMS Transport - Basics

Change Management Service (CMS) is part of SAP Netweaver Java Development Infrastructure (SAP NWDI)

CMS is comparable to ABAP Change and Transport System (CTS)CMS and CTS are not integrated. This means there is no automaticsynchronization between the twoCMS is closely integrated with the Design Time Repository (DTR), the Component Build Service (CBS), and the System Landscape Directory (SLD)CMS is optimized for the transport of source code changes within NWDI


CMS Transport - Basics

CMS is also used to transport Integration Builder content (XI content)

Change Management Service (CMS)SLD

IB DEV IB CONS IB PROD

REP

DIR

REP

DIR

REP

DIR

IS IS IS


CMS Transport – Basics – Conceptual Match

CMS:Optimized for the transport of source code changes within NWDIPartitioning by SWCVs

Integration Builder (Repository): Design tool for the development of design objectsPartitioning by SWCVsUses CMS mainly for the transport of design objects changes

=> Conceptual match

Integration Builder (Directory):Configuration toolNo partitioning by SWCVsUses CMS for the distribution of configuration data

=> Conceptual mismatch


Transport Basics – Versioning (Repository)

Repository transport is versioned No new object versions are created during importNon-manual post-processing is necessary after importImport order is not relevant

Source Repository Target Repository

Object Version 1

Object Version 2

Object Version 3

= Active VersionObject Version

Transport 1Object Version 2



Object Version 2


Transport Basics – Versioning (Directory)

Directory transport is not versionedNew object versions are created during importManual activation of imported objects is necessaryImport order is relevant

Source Directory

Object Version 1

Object Version 2

Target Directory

Object Version 3

= Active VersionObject Version

Transport 1

Object Version 1Object Version 1

Transport 2

Object Version 2


Object Version 2


CMS Transport – Basics – Advantages and Disadvantages

The use of CMS for XI content is optional. XI content can also be transported on the file system only or in parallel.

Advantages of using CMS:Traceability Quality assuranceConfirmation messages during process stepsTransport of always exactly defined partsAutomatization

Disadvantages:Installation effortMaintenance (user management, tracks,…)


CMS Transport – Basics – Tracks

Transport routes are defined by ‘tracks’A track consists of up to three systems, called DEV, CONS, and PRODA single track is defined for the transport of a specified set of SWCVA single track can be defined either for a Repository or a Directory transport but not for both at the same timeTracks can be connected to create transport routes with more than three systemsA track can have multiple successor tracks

IB DEV IB CONS 1 IB PROD

IB CONS 2Track 2for SWCV2 REP

Track 1for SWCV1

REP

REP

REP


Summary

XML Messages on the Integration Engine and the Adapter Engine must be archived (in some cases) and deleted to avoid database growth

SAP Change Management System (CMS) can be used to transport Integration Builder Design and Configuration Objects through the XI system landscape


THANK YOU FOR YOURATTENTION !

QUESTIONS – SUGGESTIONS – DISCUSSION


Copyright 2006 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.


Copyright 2006 SAP AG. Alle Rechte vorbehalten

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® und SQL Server® sind eingetragene Marken der Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower und PowerPCsind Marken oder eingetragene Marken der IBM Corporation.

Adobe, das Adobe Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von Adobe Systems Inc. in den USA und/oder anderen Ländern.

ORACLE® ist eine eingetragene Marke der ORACLE Corporation.

UNIX®, X/Open®, OSF/1® und Motif® sind eingetragene Marken der Open Group.

Citrix®, das Citrix-Logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® und andere hier erwähnte Namen von Citrix-Produkten sind Marken von Citrix Systems, Inc.

HTML, DHTML, XML, XHTML sind Marken oder eingetragene Marken des W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

JAVA® ist eine eingetragene Marke der Sun Microsystems, Inc.

JAVASCRIPT® ist eine eingetragene Marke der Sun Microsystems, Inc., verwendet unter der Lizenz der von Netscape entwickelten und implementierten Technologie.

MaxDB ist eine Marke von MySQL AB, Schweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, und weitere im Text erwähnte SAP-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet.

Bei dieser Publikation handelt es sich um eine vorläufige Version, die nicht Ihrem gültigen Lizenzvertrag oder anderen Vereinbarungen mit SAP unterliegt. Diese Publikation enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts. SAP entsteht aus dieser Publikation keine Verpflichtung zu einer bestimmten Geschäfts- oder Produktstrategie und/oder bestimmten Entwicklungen. Diese Publikation kann von SAP jederzeit ohne vorherige Ankündigung geändert werden.

SAP übernimmt keine Haftung für Fehler oder Auslassungen in dieser Publikation. Des Weiteren übernimmt SAP keine Garantie für die Exaktheit oder Vollständigkeit der Informationen, Texte, Grafiken, Links und sonstigen in dieser Publikation enthaltenen Elementen. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts.

SAP haftet nicht für entstandene Schäden. Dies gilt u. a. und uneingeschränkt für konkrete, besondere und mittelbare Schäden oder Folgeschäden, die aus der Nutzung dieser Materialien entstehen können. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit.

Die gesetzliche Haftung bei Personenschäden oder Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinkszugreifen, unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über Internetseiten Dritter ab.

xi operations - adfahrer...©sap ag 2006, xi operations / andreas stolz / 2 learning objectives as a...

Documents