Many times we come across when our SM59 RFC connection SAPOSS or other connections related to SAPNet is not working, most of the time due to wrong password, which you we can easily correct with the correct logon data which is as follows(SAP Note 182308):
Language    EN
Client      001
User        OSS_RFC
Password    CPIC


But this is not which I wanted to discuss here. Here we will check the firewall connection and how to create these RFC connections automatically.

Before we proceed, maintaining correct hostname(Use FQDN) and its correct IP that can be reached from outside of you customer network is very important.

So double checking it is best idea.

Scenario 1

In above screen of OSS1, we have SAProuter 1 and SAProuter 2 entry filled, though filling the entry for SAProuter 1 and SAProuter 2 is not mandatory in order to work your OSS connection in SM59…. BUT from your server firewall and SAPNet firewall connection should be allowed.


Lets move to this scenario, where both SAProuter 1 and SAProuter 2 entry is filled with your customer hosts where saprouter is configured.

For discussion sake lets assume the server name is “C” where you are executing OSS1 tcode, and two other servers are host A and host B as mentioned in figure.


The flow will be C -> A -> B -> SAPNet

1. Login to server C and check the port

telnet <A IP/hostname> 3299

You should get response like below


2. Again login to host A  and check port

telnet <B IP/hostname> 3299


Now, we will check in reverse direction for incoming flow

B -> A -> C


1. Login to host B and check port for A

telnet <A IP/hostname> 3299


2. Login to host A and check port for C here you have to check for your application instance number, if it is lets say 40 then

telnet <C IP/hostname> 3240


If any of the above telnet is not working then get in touch with your client network/firewall team and request them to open the port.


In this scenario, we noticed that SAProuter 2 is router which is responsible for first entry point from outside your client network, which means the firewall at host B should be open for SAPNet to enter and at the same time if it is not done earlier then you have to be in touch with SAPNet network team and request them with help of OSS message to allow entry for your host A


Scenario 2

When we fill SAProuter 1 only not the SAProuter 2

This means that in client network host A will be entry/exit point and your application servers will be communicated with SAPNet like this

C -> A -> SAPNet

You have to check your firewall accordingly.


Note 35010 – Service connections: Composite note (overview)


If all these firewall is working fine, the delete all RFC connection related to SAPNet and recreate them as follows (SAP Note 812386)

1. Transaction OSS1 ->Parameters -> Technical settings -> Change mode -> Save. The SAPOSS destination can only be updated by saving.

2. Create the RFC destinations again:


  • Use the following path to create SAPNET_RTCC: SE38 -> RTCCTOOL -> list -> Refresh from SAPNet
  • Use the following path to create SAPNET_RFC: SDCC -> Maintenance -> Refresh -> Session overview
  • SDCC_OSS is created initially when you activate SDCCN. If you then want  to create a new copy of SAPOSS, use the following path:
  • SDCCN -> Goto -> Settings -> Task specific -> RFC destinations -> Change mode -> ‘Create destination to SAPNet R/3 Frontend’


Checkout this wiki for more insight about saprouter at SAPNet.


Hope this will be of help to some of us.

Central user administration configuration in a landscape

Here is the procedure for Central user administration configuration in a landscape:
1) Create Logical systems to all clients for the landscape using BD54 or SALE as comfortable.
2) Attach Logical system to clients using Same.
3) Create RFC connection to relevant systems with the same name as logical system name .
If you Logical system name is SIDCLNT100 for dev then create RFC connection to DEV with same name SIDCLNT100.
4) Let us suppose you Central system: DEVCLNT100 Child system: QUACLNT200
5) Create user CUA_DEV_100 in devclnt100 system
4. Create user CUA_QUA_200 in quaclnt200 system.
Create RFC’s to child systems from central and central to child.
5) Now logon to central system and execute tcode scua to configure cua.
Enter the name of the distribution model: CUA
Press create
Enter ALL Child system RFC’s
Save your entries now result screen will appear
If you expand the nodes for
the individual systems, you normally see the following messages for
each system: .ALE distribution model was saved,. .Central User
Administration activated,. and .Text comparison was started.. If
problem messages are displayed here, follow the procedure in SAP
Note 333441:
6) Setting the Parameters for Field Distribution Enter Tcode SCUM in central system following screen will appearNow maintain your filed distribution and save it.You can use transaction SUCOMP to administer company address data.You can use transaction SCUG in the central system to perform thesynchronization activities between the central system and the childsystems by selecting your child system on the initial screen of transactionSCUG and then choosing Synchronize Company Addresses in the Central System
After you have synchronized the company addresses, you can transfer theusers from the newly connected child systems to central administration.
This is done, as with the synchronization of the company addresses, using
transaction SCUG in the central system. To do this, on the initial screen of
transaction SCUG, select your child system and choose the Copy Users to the Central System button.
You can use the report RSCCUSND from the central system of Central User Administration (CUA) to synchronize the master data of selected users with a child system of the CUA. The report sends the master data (including role and profile assignments) to a child system of the CUA.

If master data exists in the child system for the user sent, it is overwritten.
1. Start report RSCCUSND (for example, using transaction SA38).
2. In the Receiving System field, specify the child system to which you want to send the user data.
3. You can use the fields User and User Group to restrict the number of users.
4. Specify the data that you want to distribute under Distribution Options.
5. Choose Execute.

Configure HTTP or HTTPS Settings in the ICM for SAP NWBC 3.5


In this article, we will see how to configure HTTP or HTTPS Settings in the ICM for SAP NWBC 3.5.

Prerequisite: User must have installed the SAP GUI and SAP NWBC 3.5 on their desktop in order to login on it. Also, a basic understanding on SAP NWBC will be helpful to understand this article.


As most of us know that the basic purpose of SAP NWBC is to having all the required applications, traditional SAP transaction at a single platform.

The Internet Communication Manager (ICM) enables communication between your SAP systems

and the Internet using the HTTP or HTTPS protocols for the Business Client applications. NWBC

(Both the shell and most canvas types) uses HTTP to access an ABAP server. It is important that at a minimum one HTTP or HTTPS port is configured and active.  

Let’s see the steps to check if the HTTP or HTTPS service exists for given backend SAP R3 system in order to have a communication between Shell and ABAP server.  

Go to transaction code SMICM.  

  After that check if the HTTP or HTTPS service is active or not using Goto -> Services

We can see that HTTP service is active in this case.  

If it not active, then we can create/change it and then activate it.  

Please note that any changes you make here are lost when you restart. If you want to create or

Change a service permanently; you must do this using the profile parameter

icm/server_port_<xx> as follows.  

You may not be able to change it if you don’t have the correct authorizations. Check with your BASIS team and make the change.  

In this way you can configure the HTTP or HTTPS settings in the ICM in order to have a communication between shell and ABAP server.

Variant Configuration – Setting up Sales Order Costing

When you use variant configuration, one of the things you often need or want to do is setup sales order costing for your configuration.  Surprisingly to me, sales order costing is NOT setup automatically for the TAC item category.  So let me walk you through how to set this up (at least as far as I can take you).  Like so many things, you’ll need some input from your FICO expert to make sure all the settings are proper for their world 

Now, I’m going to start at the beginning, so you might be able to skip this step, but I’m going to assume you don’t know the requirements class you need to update.

So, use this path to the IMG in order to find your requirements class based on your item category.

I’m going to show the standard Item Category, TAC for a configurable material.  You can simply substitute your item category in here.

Now, it’s nice because you can see your requirements class at the bottom portion of this screen without backtracking to the requirements type screen.

We can get to the real work.  We have to go to a little bit different spot in configuration to adjust these settings.

Now, using the requirements class we located earlier, we can go to the details.

Now, all the work happens on this screen.  Originally, this screen was completely blank in standard SAP.  What I’ve populated is the most standard configuration I’ve used in the past.

Costing:  Setting this to X makes it required for sales order costing.
Costing ID: determines if you want automatic sales order costing (A) or automatic with marking (B).
Costing Method: (1) Product Costing, (2) unit costing
Costing Variant: PPC4 for sales order costing

CndTypLinItm: this is something optional, but it tells you where you can put the value within pricing  if you wish to use it for margin or cost plus calculations
Acct Assignment Cat: M for Ind Cust wo KD-CO
Valuation: M Separate valuation with reference to Sales Document/Project.

Settlement Profile: SD1 – Sales Order Make to Order Production

The one field I skipped is the Settlement Profile.  This one I always defer to my FICO person.  I don’t even pretend to know which one of these to select.

Once you set this stuff, you should be good to.

SAPJSF User is Getting Locked?

You might have experienced this problem before. This is a known problem if you have a system with AS Java add in or dual stack installed in your system. SAPJSF is a communication user used by User Management Engine service to connect to ABAP service. In the ABAP system, you see that user SAPJSF is getting locked, for example from User Information (transaction code : SUIM). There are several issues known cause SAPJSF user is locked based on my experience:

  • Password in the UME configuration is different with in ABAP User Data.
  • Role for user SAPJSF in ABAP system is not set correctly.
  • User type in ABAP system is not set correctly

To check your password configuration in UME service, you can go to configtool :
– Switch to configuration editor mode.

– Switch to change mode

-Go to Configuration –> cluster_data–> server -> cfg -> services
-Click on Propertysheet 
-Change the password in ume.r3.connection.master.passwd
Make sure that this password configuration is defined also in ABAP system (transaction SU01).

In general there are two roles which should be assigned in SAPJSF user in ABAP system depends on the configuration. Those are :
And make sure that you generate profile for those roles and assigned correctly to user SAPJSF.
By default , SAPJSF is set to service user type.

SAPRouter : Renew Certificate On Linux

SAPRouter certificate will expired in 1 year. Here’s step to renew my saprouter certificate :

Note : location : /usr/sap/saprouter

First, check certificate expired date :
1. export variable :
export SECUDIR=/usr/sap/saprouter/
export SNC_LIB=/usr/sap/saprouter/
2. Check SAPRouter license expired :
/usr/sap/saprouter/sapgenpse get_my_name

Step Renew Certificate :
1. Go to Press “‘Apply Now”‘ button.
2. Right click and copy the paremeter under Distinguished Name (Parameter for SAPGENPSE)
3. login to saprouter server, backup old file : certreq, local.pse, and srcert
4. Run this command :
sapgenpse get_pse -v -r certreq -p local.pse “Distinguished Name”

for example :
sapgenpse get_pse -v -r certreq -p local.pse “CN=server, OU=0000xxxxxx, OU=SAProuter, O=SAP,

5. Enter PIN
6. New file certreq will created under /usr/sap/saprouter/. open using vi and copy all content.

7. Back to your browser, paste the certreq content copied from step 6 to the field, press “‘Request Certificate”‘ button.

8. New certificate will created. copy from Begin until End Certificate and back to your server, create srcert file using vi and paste.


8. Run this command to import to the local.pse:
sapgenpse import_own_cert -c srcert -p local.pse

9. Run this command to set user who will run this saprouter
sapgenpse seclogin -p local.pse -O <user>

10. Check SAPRouter license expired :
/usr/sap/saprouter/sapgenpse get_my_name

Note : To see who is connected through saprouter, run this command :
/usr/sap/saprouter/saprouter -L

Tune your SQL Server SAP Database




Performance-tuning is a very complex domain – good and deep knowledge and understanding of how SQL Server works is required to tune.

For this reason it’s simply impossible to quickly deal with all facts and details you need to thorougly look into every single corner of your database that could be tuned.


Why am I still writing a blog post about it then?


Because I very often see SQL Server-based SAP systems where little effort could improve performance so much – and many of the tasks which I’ll talk about can even be carried out without a downtime. For this reason I always find it too bad if I look at a system and see that these basic tasks were not carried out.


I have the impression that some SAP recommendations for SQL Server databases which were communicated via SAP Notes within the last couple of years are still not so wellknown yet for some reason so I want to seize the opportunity and broadcast them  as these are general ones… they are not supposed to be followed in special cases but they should be followed in any case…


As for my last blog post I have again written a KBA which contains everything I want to share while I again post the initial version of it here for those of you who don’t have access to SAP Notes and KBAs.


SAP KBA 1744217 – Basic requirements to improve the performance of a SQL Server Database


Points 2, 3, 4, 5, 8  and 9 don’t even require a downtime so you can go ahead and apply them right away.


Point 3 will cause some load for large objects and should therefore be carried out when the overall system load is low and you’re able to monitor it. Small tables can be compressed quite quick and won’t cause considerable load. It’s a good idea to simply test it on a handful of tables with different sizes so you can see how long it takes in your system. You’ll be astonished how much space (and thereby indirectly I/O accesses) page-compression will save you.



(1) Kernel and Database Shared Library (DBSL) patchlevel


We frequently fix bugs or problems in the kernel and DBSL executables. Some of these are related with error messages but many are as well related with performance issues. For this reason it is important to make sure that your kernel and DBSL executables are updated to the most recent patchlevels provided by SAP on a regular basis. To to do, please follow SAP Note 19466.


(2) Statistics


If you follow point 7 SQL Server itself will take care of automatically updating statistics. Please do not schedule any additional statistics updates unless SAP explicitly recommends you to. Besides the automatic statistics update, please implement SAP Note 1558087.


(3) Database Compression


As of version SQL Server 2008 you can page or row compress database objects. We’ve seen many cases where compressing database objects could significantly decrease the amount of space occupied by the database. This in turn means that fewer I/O accesses are required to read and write data. For this reason SAP decided to use page compression by default in all newly installed systems as of May 2011.

If you are using SQL Server Version 2008 or higher and you fulfill all requirements from SAP Notes 1488135 and SAP Note 1459005 we strongly recommend to implement compression.


To check, if your database objects are already compressed please:



  1. Goto transaction SE38 or SA38 
  2. Start report MSSCOMPRESS 
  3. Set the Data Compression Type and Index Compression Type Filter Options to Not compressed


  • Wait for the table list to be refreshed 
  • If uncompressed objects are found, follow SAP Note 1488135 to page-compress them.
    Note that you can choose between:
  • Always ONLINE 
  • ONLINE, retry OFFLINE 
  • Always OFFLINE

    Please be aware that compressing an object will implicitly require to lock the object being compressed at certain times. If you use the online option SQL Server will use as few locks as possible. If you use the offline option, the object will be locked and will not be available for access until the compression has finished. For large objects compression can take a while for this reason ensure to use the first option if you want to avoid this. For tables which contain columns with data type image, text, ntext, varchar(max), nvarchar(max), varbinary(max), and xml, an online compression is not possible with SQL Server Releases lower than SQL Server 2012. Please consider this when planning the compression of your database.


    (4) Tempdb size


    Especially in BW/BI systems, the tempdb is heavily used for certain tasks. Please make sure that it is correctly sized as described in SAP Note 1174635.

    (5) Datafiles


    To ensure that the data can be distributed over all existing data files, it is important that all data files provide free space at all times.

    Please follow SAP Note 1238993 to ensure that your data files are configured correctly.

    It’s also recommended that you have ~ 0.5 – 1 datafiles per CPU core (e.g. if your SQL Server can use 4 CPU cores, 2-4 datafiles make sense). If you are using a BW system it makes sense to have the same number of datafiles for the tempdb.


    (6) Lock Pages in Memory Feature


    As of SQL Server 2005 it is possible to disallow the operating system to page out pages allocated by SQL Server to the page file. As a major part of the main memory allocated by SQL Server is the Data Cache it is important that it is not being paged out. Otherwise it would in the end be read from disk (the page file) instead of from the main memory which decreases performance. Please follow SAP Note 1134345 to make sure that you are using the lock pages in memory feature.

    (7) Parameters


    Please make sure that the database parameter are set as recommended in SAP Notes:


  • 327494 – SQL Server 2000 
  • 879941 – SQL Server 2005 
  • 1237682 – SQL Server 2008 
  • 1702408 – SQL Server 2012


    (8) sp_autostats


    We recommend to switch on sp_autostats for all objects in the database in order to leave the task of updating statistics to SQL Server. For some tables we’ve experienced better performance if the automatic statitsics update is switched off. To correctly configure these for your database release, please follow SAP KBA 1649078.


    (9) Disallow Page Level Locks


    For several tables you need to disallow page level locks. Please follow SAP KBA 1648817 to properly configure this.


    (10) Service Packs and Cumulative Updates


    Make sure that you apply the most recent service pack and cumulative update for your SQL Server Release both, on server side as well as on all client sides.

    Please see SAP Note 62988 and SAP KBA 1733195 for details.

SAP Tutorial – Create Transaction Code for ABAP Module Pools

ABAP Module pools are programs in ABAP that are created and used similar to any ABAP report.
But ABAP module pools can not be executed simply by calling F8.
A module pool requires an SAP transaction code to execute and run the ABAP module pool report.

In this SAP tutorial for ABAP developers, I want to show how to create transaction code for ABAP module pool objects.

There are some alternative methods of creating SAP transaction code which are shown with examples at SAP Transaction – Create Transaction Code for ABAP Program or Selection Screen and at How to Create SAP Transaction Code using SAP SE93 Transaction.

How to Create SAP Transaction Code using SAP SE93 Transaction

Are you ready to create transaction code using SAP SE93 screen for your ABAP report and ABAP program to use it in SAP systems.

On the SAP main screen, type the SE93 SAP transaction code and display the Maintain Transaction SAP screen.

In this Maintain Transaction SE93 screen, ABAP developers or SAP users can edit or change an existing transaction code as well as create SAP transaction code.

As you can see in the below screen, I want to create a new ABAP transaction code “ZListCustomerSales” for calling an ABAP report. So I type the new SAP transaction code in the text input area. Then click Create button to create the new transaction code.

Following screen enables SAP users to enter a short text description for the new SAP transaction code.

Among the Start object radio buttons, select the Program and selection screen (report transaction) for calling an ABAP report or ABAP program using this new SAP transaction code.

The first selection Program and screen (dialog transaction) can be used for ABAP module pools. You can see an alternate way of how to create SAP transaction code for module pools at SAP Tutorial – Create Transaction Code for ABAP Module Pools.

After transaction attribute short text is entered in Create Transaction screen click the green OK button or press enter to continue for SAP transaction creation.

In this Create Report transaction screen, SAP users can define the ABAP program or ABAP report that will be executed when the transaction code is called.

Also please enter the selection screen code like screen 100.

After you have finished entering required SAP data for the new transaction code, save and exit from the SE93 SAP application. This is the end of creating transaction code process.

SAP users are now ready to use the new SAP transaction code “ZLISTCUSTOMERSALES”. Type the transaction code and navigate to the new screen by calling the transaction report behind the scene.

It is also possible to create SAP transaction code directly on the ABAP report object context menu Create > Transaction Code selection.
Here is where you can find step by step SAP Transaction – Create Transaction Code for ABAP Program or Selection Screen explaining how you can create SAP transaction codes for your ABAP report or ABAP program objects.