SAP AG

Enablement Kit for SAP NetWeaver Business Client – V1.30 SAP NWBC 3.0 Technical Requirements & Server Side Configuration Overview

In this presentation we consolidate the activities on the ones to be performed on OS level and for each transaction

At the end you find a short summary for a SAP GUI based end-user check as well as the front-end related configuration steps

SAP NetWeaver Business Client 3.0 Objective

SAP NetWeaver Business Client 3.0 Required Backend Release and Stack

Minimum Release and Support Package Stack Level for Productive Use:

SAP NWBC is only released for customers and partners implemtening SAP Best Practices packages based on enhancement package 4 for SAP ERP 6.0 and / or using SAP SRM 7.0

Enhancement package 1 SPS06 for SAP NetWeaver 7.0 appl. server ABAP (“SAP NW 7.01 SPS06* application server ABAP”)

Enhancement package 4 for SAP ERP 6.0 application server ABAP (“SAP ERP 6.04 AS ABAP”)

Plus SAP Cryptographic Software

• Technically the runtime is as well included as of NetWeaver 7.00 SPS 21, „SAP NW 7.00 SAP21“. SAP NetWeaver Business Client 3.0 is planned to be shipped together with enhancement package 5 for SAP ERP 6.0, „SAP ERP 6.05“, and other SAP business suite applications based on enhancement package 2 for SAP NetWeaver 7.0, „SAP NW 7.02“.

Follow the instructions stated in SAP notes 1368177 (SAP NWBC 3.0 Released for SAP BAiO Packages and SAP SRM 7.0) 1353538 (SAP NetWeaver Business Client 3.0 - Patch Collection) The SAP NetWeaver Business Client runtime supports the usage of SAP NetWeaver Business Client 3.0 for Desktop as well as the usage of SAP NetWeaver Business Client 3.0 for HTML.

SAP NetWeaver Business Client 3.0 High Level Backend Configuration Steps

Installation and configuration of SAP Crypto Library Activities on OS level, configure system parameters, TX STRUSTSSO2

Enablement of SSO2 tickets / cookies configure system parameters

Enable enhanced POWER list functionality in the Switch Framework (SFw) Switch activation in TX SFW5

Configuration of the Internet Communication Manager (ICM) / https enablement TX STRUSTSSO2, configure system parameters, TX SMICM

Configuration of the Internet Communication Framework (ICF) TX SICF

Enable enhanced PFCG functionality TX SM30_SSM_CUST

Role assignment TX PFCG and/or SU01

SAP NetWeaver Business Client 3.0 Backend Configuration – SAP Crypto Library (1/2)

Download the current SAP Crypto Library via SAP Software Distribution Center (SWDC) in SAP Service Marketplace (SMP)

• https://service.sap.com/swdc > Download > SAP Cryptographic Software • E. g. SAP Cryptographic Library Microsoft Windows 2003 for x86_64

Extract the content of the SAP CAR or SAR file into the kernel folder

• E. g. for Windows 2003 x64 server using command sapcar –xvf 90000114.SAR • Copy sapcrypto.dll and sapgenpse.exe from extraction folder ..\ nt-x86_64 to

..\sapmnt\<SID>\SYS\exe\uc\NTAMD64

System profile parameter adaption consolidated in separate slide Same applies for configuration of TX STRUSTSSO2

SAP NetWeaver Business Client 3.0 Backend Configuration – SAP Crypto Library (2/2)

Additional detailed information in SAP Help Portal

• http://help.sap.com > SAP NetWeaver > SAP NetWeaver 7.0 > SAP NetWeaver 7.0 Library (including Enhancement Package 1) or > SAP NetWeaver 7.0 Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > Network and Transport Layer Security > Using the SAP Cryptographic Library for SNC > Configuring the Use of the SAP Cryptographic Library for SNC > Configuring SNC for Using the SAPCRYPTOLIB on the AS ABAP http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/3f443c8c06702ee10000000a11405a/frameset.htm

SAP NetWeaver Business Client 3.0 Backend Configuration – System Parameters (1/2)

Depending on your architecture it might be reasonable to distribute the parameters to the default or instance profile (DEFAULT.PFL / <SID>_DVEBMGS<instance-nr.>_<server>, e. g. EH3_DVEBMGS00_BPEHP). In general it is valid to include the parameters in the instance profile. You can either use transaction RZ10 for maintaining the profiles or editing them directly on OS level – ensure always before edition in transaction RZ10 that you uploaded the current version from the OS level (menu: Utilities > Import profiles > Of active servers)

Distribution of parameters to the default and instance profile

Attention After maintaining the system parameters you need to restart your system so that the parameters will be taken into account. For Windows servers the service SAP<SID>_<instance-nr.> (e. g. SAPEH3_00) as well needs to be restarted before the SAP application server ABAP is started again.

SAP NetWeaver Business Client 3.0 Backend Configuration – System Parameters (2/2)

Full Qualified Domain Name (FQDN)

• e. g. icm/host_name_full = iwdfvm4711.wdf.sap.corp

Define http(s) settings

• e. g. with following time-out values, SMTP for completeness icm/server_port_0 = PROT=HTTP,PORT=500$$,PROCTIMEOUT=300,TIMEOUT=900 icm/server_port_1 = PROT=HTTPS, PORT=443$$, PROCTIMEOUT=300, TIMEOUT=900 icm/server_port_2 = PROT=SMTP, PORT=250$$, PROCTIMEOUT=300, TIMEOUT=900

Enable SSO2 cookie acceptance and creation

• login/accept_sso2_ticket = 1 login/create_sso2_ticket = 2

SAP Crypto Library

• e. g. for Windows 2003 x64 servers sec/libsapsecu = $(DIR_CT_RUN)\sapcrypto.dll ssf/name = SAPSECULIB ssf/ssfapi_lib = $(DIR_CT_RUN)\sapcrypto.dll ssl/ssl_lib = $(DIR_CT_RUN)\sapcrypto.dll

SAP NetWeaver Business Client 3.0 Backend Configuration – TX STRUSTSSO2

Others to be created in the same way

All required certificates are created

The following four certificates must be created: System PSE SNC SAPCryptolib SSL server Standard SSL client SSL Client (Standard)

If you use server signed certificates you will receive some warnings when logging on via SAP NWBC 3.0 but functionality is not affected.

These screenshots show examples of self-signed certificates maintained via right mouse clicks.

SAP NetWeaver Business Client 3.0 Backend Configuration – TX SMICM

• Menu: Goto > Services or [Shift]+[F1] or

Verify in transaction SMICM that https service is activated

• If https is not active, activate the service via menu: Service > Activate To be able to activate https the SSL server Standard certificate needs to be created (see previous slide)

SAP NetWeaver Business Client 3.0 Backend Configuration – TX SFW5

Activate in TX SFW5 enterprise business function /KYK/GEN_AIO_SIMPLIFICATION

SAP NetWeaver Business Client 3.0 Backend Configuration – Services, TX SICF 1/3

To make use of SAP NWBC you need to activate various services in TX SICF. Most important is the so-called cockpit, /sap/bc/nwbc linked to the external alias /nwbc. The other services are used to enable the framework (especially /sap/public), and to display the various transactions.

Attention If you have already activated part of the node you can activate the entire tree by deactivating and reactivating the upper node. However, you have to update the service tree with the Refresh icon .

Activate Services in TX SICF

SAP NetWeaver Business Client 3.0 Backend Configuration – Services, TX SICF 2/3

Update the specified services in the Internet Communication Frameworks (ICF), for general information see Note 517484.

Activate Services in TX SICF

Call transaction SICF

Execute (F8)

Node /Select service with the mouse /highlight

Menu Service/Host - Activate (Ctrl+F11) or use the mouse and right-click to activate the service

SAP NetWeaver Business Client 3.0 Backend Configuration – Services, TX SICF 3/3

Mandatory services to be activated: ===================================

/default_host/sap /public /bc/icons /icons_rtl /pictograms /ur /webdynpro/* /webicons /bsp/sap/htmlb /public/bc /system /icf_info only required /logon_groups with load distrib using msg server /urlprefix with load distrib using msg server /icr_groups with load distrib using Web Dispat /icr_urlprefix with load distrib using Web Dispat /icman /myssocntl /bc /bsp/sap/public/bc /system /gui/sap/its/* depending on the processes to be implemented (only needed for usage of SAP NWBC 3.0 for HTML) /igs_data /nwbc /print/* /smart_forms /webdynpro depending on the processes to be implemented /kyk/* /sap/lord* /create_complaints_comp /cust_cockpit_comp /lo_oif* /o2c_* /powl* /wdk* /wdhc_application

Test applications for troubleshooting: ======================================

/default_host/sap /bc /echo/* ICF / system /error/* /bsp/sap BSPs /bsp_veri /htmlb_samples /it00 /sbspext_htmlb /sbspext_xhtmlb /webdynpro/sap WD ABAP /wdr_test_events /wdr_test_ui_elements /wdr_test_table /wdr_test_popups_rt /wdr_test* as specified in the name

Services for WD ABAP development: ================================= For security reasons, these services should NOT be activated in a production system.

/default_host/sap /bc /wdvd/ /wd_trace_tool /webdynpro/sap /configure_* /wd_analyze_*

SAP NetWeaver Business Client 3.0 Backend Configuration – Roles (1/2)

The use of SAP NWBC is for SAP BAiO packages based on ABAP roles. So to be able to use SAP NWBC as a user interface, roles need to be assigned to the logon user. Within the SAP BAiO packages, the SAP_AIO_* roles delivered initially with SAP ERP 6.0 have been adapted to the delivered scenarios. For enhancement package 3 for SAP ERP 6.0 they start with SAP_BPR_*, for enhancement package 4 for SAP ERP 6.0 they start with SAP_NBPR_*. Please use either TX SU01 to assign roles to a specific user or PFCG to assign users to specific roles. Afterwards do not forget to perform the user comparison in TX PFCG for all newly assigned roles! Usually SAP_[AIO; NBPR]_EMPLOYEE_S + the relevant functional roles should be assigned to the user. Details can be found in the SAP BAiO Business Process Documentation (BPD).

General Information

SAP NetWeaver Business Client 3.0 Backend Configuration – Roles (1/2) In order to make use of the complete additional PFCG functionality for SAP NWBC 3.0 you need to enhance client independent configuration table with the following value using TX SM30 or directly SM30_SSM_CUST : Field name: ADD_MENU_DETAILS Value: YES

Call transaction SM30

Table/View: ssm_cust

Button [Maintain]

Button [New entries]

Description: ADD_MENU_DETAILS Value to be set: YES

Save your settings

SAP NetWeaver Business Client 3.0 Backend Configuration – Cockpit (1)

When SAP NWBC 3.0 is connected to an ABAP system, central access point on ABAP side is the so-called cockpit. The call is established via an external alias /nwbc, so that the URL has always the same structure. This external alias is connected to service /sap/bc/nwbc. For example with standard scenario: http(s)://<server>.<domain>.<ext>:<port>/nwbc forwards automatically to http(s)://<server>.<domain>.<ext>:<port>/sap/bc/nwbc For further information please have a look at SAP Note 1368177.

SAP NWBC Cockpit

SAP NetWeaver Business Client 3.0 Backend Configuration – Cockpit (2) To ensure correct communication you need to verify that the error pages handling of logon errors of the cockpit is configured correctly. Access the service (sap/bc/nwbc) in TX SICF with a double click :

• Radio button System Logon selected and • Configured for Service Specific Settings displaying at least System Messages using protocol Logon

via HTTPS

SAP NetWeaver Business Client 3.0 Backend Configuration – System Logon

Configuration of the System Logon screen for SAP NWBC

You can define how the logon screen for SAP NWBC should look like and which parameters should be set for the logon process. To do so doubleclick on the respective service node for your cockpit in transaction SICF, choose -> Error Pages -> Logon Errors and then the button Configuration (see previous slide). You can decide wether you want to use the global settings (usually only user and password) or if you want to set further parameters for the logon process. You can find a detailed description for the configuration in http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/3a0638902131c3e10000000a42189d/content.htm.

SAP NetWeaver Business Client 3.0 Backend Config. – Table NWBC_CFG (1)

One entry is mandatory

Use transaction SE16 or SE16n to create a new client specific table entry in table NWBC_CFG (refer to chapter 4.6 in general SAP NWBC 3.0 documentation):

IDX: Any three characters Cockpit: * Name: BUSINESS_LINE Lang: <empty> Display: <empty> Value: BAiO Cockpit Path: <empty>

SAP NetWeaver Business Client 3.0 Backend Config. – Table NWBC_CFG (2)

Adding a Branding Image and URL to NWBC Layout

Also via table NWBC_CFG you can define a branding image in the lower part of the left navigation panel with a clickable URL behind the image. Therefore make the following entries in table NWBC_CFG via transaction SE16: Branding image: IDX = any ID, consisting of three characters COCKPIT = * (means relevant for all Cockpits) NAME = BRANDING_IMAGE VALUE = URL The URL must be a link to a picture (JPG or PNG) and it must be ensured that the image can be loaded without authorization having been required. Branding URL: IDX = any ID, consisting of three characters COCKPIT = * (means relevant for all Cockpits) NAME = BRANDING_URL VALUE = URL The URL can be the corporate portal page of the company which is then loaded. For the configuration of table NWBC_CFG and the available parameters see also the general documentation for SAP NWBC 3.0, chapter 4.6 Configuration via Table NWBC_CFG.

Some of the settings to be made require deeper knowledge in SAP basis system administration, such as system profile parameters and configuration of SSO. Therefore it is recommended that the user just check for the correctness of the settings and the system administrator takes care of the correct configuration of these areas. System parameters: They can easily be checked using TX RSPFPAR uploading the following selection from the clipboard: icm/host_name_full icm/server_port_* login/*_sso2_ticket sec/libsapsecu ssf/* ssl/*

Check for “Trust Manager for Single Sign-On with Logon Ticket” configuration – TX STRUSTSSO2 The following nodes need to be created: System PSE, SNC SAP Cryptolib, SSL Server Standard, SSL client SSL Client (Standard)

ICM Monitor – Service Display – TX SMICM, Goto - Services: http and https enabled Switch Framework – TX SFW5: Enterprise Business Funktion /KYK/GEN_AIO_SIMPLIFICATION enabled Internet Communication Framework – TX SICF: Check that required services are activated If services cannot be activated or are not found in the system run transaction SIAC_PUBLISH_ALL_INT to publish them at once

Roles – TX SM30_SSM_CUST + PFCG / SU01: Enable additional details for view SSM_CUST and assign required roles to your user

Additional cockpit configuration – TX SICF: For correct SAP NWBC 3.0 connection to the backend you need to verify that the error pages handling of logon errors of the cockpit is configured correctly: •Radio button System Logon selected and •Configured for Service Specific Settings displaying at least System Messages using protocol Logon via HTTPS

SAP NetWeaver Business Client 3.0 “End-user Tests”

SAP NetWeaver Business Client 3.0 Additional Information Sources

1400383 SAP BAiO: NWBC & EhP4 for SAP ERP 6.0 (ABAP) – Configuration (Basis for the information in this presentation)

1368177 AP NWBC 3.0 Released for SAP BAiO Packages and SAP SRM 7.0 (Release Information for NWBC 3.0 for SAP BAiO partners and customers)

517484 Inactive services in the Internet Communication 1165371 SAP Best Practices Role Files for All-in-One EhP3 (Best Practices Roles for EhP4 solutions will be delivered with the corresponding Add-On)

-> If you are using an SAP Best Practices solution check the latest version of the corresponding note to obtain updates and corrections.

SAP Notes

Documentation on the SAP Help Portal for SNC http://help.sap.com > SAP NetWeaver > SAP NetWeaver 7.0 > SAP NetWeaver 7.0 Library (including Enhancement Package 1) or > SAP NetWeaver 7.0 Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > Network and Transport Layer Security > Using the SAP Cryptographic Library for SNC > Configuring the Use of the SAP Cryptographic Library for SNC > Configuring SNC for Using the SAPCRYPTOLIB on the AS ABAP http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/3f443c8c06702ee10000000a11405a/frameset.htm

© 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, Clear Enterprise, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP France in the United States and in other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.