Last Changed: 05th of April 2022
while the Installation and (Basis) Configuration of SolMan 7.2 is really a complex task, it shows that the correct Implementation of the Diagnostic Agent become an even more complex task.
Blog – SAP MacGyver – Installing SAP SolMan 7.2
Install and connect the SAP Diagnostic Agent properly
It is always beneficial to start with a complete new Installation, before spending too much time fixing an existing Setup. This allows you to use the latest Version of the SAP JVM8, SAP Host Agent 7.22 and the current 7.53 SAP Kernel. Despite the Version you install, once the Installation is finished the Diagnostic Agent get the latest Version for the connected SolMan 7.2
First Install/Update the SAP Host Agent to the latest Version and make sure the parameters in the file host_profile are set correctly to support the SSL configuration.
Note 540379 – Ports and services used by SAP
Note 3093121 – SAP Host Agent 7.22 PL54
Note 3113553 – SAP Host Agent 7.22 PL55
Note 3138653 – SAP JVM 8.1 Patch Collection 84 (build 8.1.084)
Note 1858920 – Diagnostics Agent installation with SWPM
Note 2253383 – Diagnostics Agent – SWPM Archive-Based Installation
Note 2573122 – Diagnostics Agent can’t find .sar file
SAP Help – Configuring SSL for SAP Host Agent on UNIX
# executed as root with switch to user sapadm
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x is!seCret -r /usr/sap/hostctrl/exe/sec/server-csr.p10 "CN=server.domain.ext, O=SAP AG, OU=IDNA, C=DE"
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x is!seCret -O sapadm
server:/usr/sap/hostctrl/exe/sec #
# send the certification request (server-csr.p10) and get the response (server-csr.p7b)
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x is!seCret -c server-csr.p7b
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x is!seCret -v
server:/usr/sap/hostctrl/exe/sec # dir
-rwxrwxr-x 1 sapadm sapsys 5239 Oct 6 14:53 SAPSSLS.pse
-rwxrwxr-x 1 sapadm sapsys 115 Oct 6 14:51 cred_v2
-rwxrwxr-x 1 sapadm sapsys 964 Oct 6 14:51 server-csr.p10
-rwxrwxr-x 1 root root 6559 Oct 6 14:52 server-csr.p7b
server:/usr/sap/hostctrl/exe/sec #
server:/usr/sap/hostctrl/exe # vi host_profile
# add the following Information and restart with ./saphostexec -restart
SECUDIR = /usr/sap/hostctrl/exe/sec
ccms/enable_agent = 1
saphostagent/ssl_setup = true
service/admin_users = sapadm dasadm
service/http/hostname = server.domain.ext
ssl/server_pse = /usr/sap/hostctrl/exe/sec/SAPSSLS.pse
# enable SSL - ./saphostexec -install -setup slplugin -passwd
# update SHA - ./saphostexec -upgrade -archive SAPHOSTAGENT54_54-80004822.SAR
Secondly, Install the Diagnostic Agent with SWPM 1.0 SP32 (or higher)
Note 1680045 – Release Note for SWPM 1.0 (recommended: SWPM 1.0 SP32)
./sapinst SAPINST_EXECUTE_PRODUCT_ID=NW_DiagnosticsAgent:GENERIC.IND.PD
Detected Software Packages are up to date
The Port of the JAVA SCS Instance is not the P4 or P4S Port, as it is the 4-digit Ports which is defined in the ASCS Profile of the SAP Java SolMan 7.2 Server.
As the SAP JAVA Implementation misses certain SAP Standard Features like Logon Balancing and Secure Communication, the usage of a Web Dispatcher is mandantory as soon, a load is expected which cannot be hold by a single SAP JAVA Instance/Node.
The most suitable Configuration is to stick to the WebDispatcher Configuration for the SCS Message Server Ports for HTTP/HTTPS as it sticks closely to the attached SAP ABAP Instance.
# mandantory Instance Parameter must be set in a SAP JAVA Instance
ms/server_port_0 = PROT=HTTP,PORT=80$$
ms/server_port_1 = PROT=HTTPS,PORT=81$$
service/protectedwebmethods = DEFAULT
system/secure_communication = OFFSAP Help – SCS Instance with Integrated SAP Web Dispatcher
Blog – Preparation – SolMan 7.2 Configuration
the SWPM might expect as HTTPS SCS Port 444<SCS Nr.>, in fact it expects any HTTP SCS Port which can be freely defined, e.g. as 80<SCS Nr.> in the SolMan 7.2 Java DEFAULT.pfl.
However, the SAP Standard Documentation is quite blurry when it comes to the Definition of the Port ms/server_port_1 = PROT=HTTPS for SAP JAVA. By Default this Parameter is not set nor defined.
SAP Help – Parameters for Additional Components to be Included in the SCS Instance => HTTPS note mentioned
SAP Help – Direct SAP Solution Manager Connection
=> talks only about Java SCS Message Server with SSL support, the Term “P4(S)” Connection is misleading. This Connection Type is recommended by SAP.
SAP Help – Security Settings for the SAP Message Server
SAP Help – SAP Solution Manager Connectivity Parameters => 444<SCS Nr.>
SAP Help – TCP/IP Ports of All SAP Products => 443<SCS Nr.>
In an SAP JAVA Instance, the ICM Port is not the HTTP MsgServ Port, these are different Ports and so the Definition on the official SAP Documentation is not clear either.
icm/server_port_0 = PROT=HTTPS, PORT=5$(SAPSYSTEM)01
icm/server_port_1 = PROT=HTTP, PORT=5$(SAPSYSTEM)00
icm/server_port_5 = PROT=P4SEC, PORT=5$(SAPSYSTEM)05, TIMEOUT=240, PROCTIMEOUT=900, SSLCONFIG=ssl_config_5
icm/server_port_4 = PROT=P4, PORT=5$(SAPSYSTEM)04, TIMEOUT=240, PROCTIMEOUT=900
ms/server_port_0 = PROT=HTTP,PORT=80$(SAPSYSTEM)
ms/server_port_1 = PROT=HTTPS,PORT=81$(SAPSYSTEM)
# ms/server_port_1 = PROT=HTTPS,PORT=443$(SAPSYSTEM)
To be on the safe side, check the Settings of the HTTPS Port for the SCS Instance in the SAP NetWeaver Administrator => Configuration => Infrastructure => Message server.
check with the SolMan NWA the SCS Port(s)
Connection Information for the Diagnostic Agent
The Definition P4 (SSL) Connection via JAVA SCS Message Server is also misleading, as the P4/P4S Port can be checked with the following URL:
Note 2914769 – Cannot establish connection to URL /msgserver/text/logon
http://server.domain.ext:80<SCS Nr.>/msgserver/text/logon?version=1.2
https://server.domain.ext:81<SCS Nr.>/msgserver/text/logon?version=1.2
the SCS Port of the SolMan JAVA Instance has 4 Digits
Monitor the further Setup in the Agent Administration Monitor
https://server.domain.corp:5<nr>01/smd/AgentAdminSAP Help – connection to the SolMan via P4S Socket
server:dasadm > cd /usr/sap/DAS/SMDA98/script/
server:dasadm > stopsap r3
server:dasadm > ./smdsetup.sh sldconf hostname:"sapms://server.domain.ext" port:"51801" user:"SMD_RFC" pwd:"is!seCret" use_ssl:"true"
server:dasadm > ./smdsetup.sh managingconf hostname:"sapms://server.domain.ext" port:"51805" user:"SMD_RFC" pwd:"is!seCret"
server:dasadm > startsap r3
server:dasadm > ls -lart ../SMDAgent/log/
drwxr-xr-x 9 dasadm sapsys 4096 Oct 6 18:47 ..
-rw-r--r-- 1 dasadm sapsys 6992 Oct 6 18:48 dpc.0.log
-rw-r--r-- 1 dasadm sapsys 7658 Oct 6 18:48 eem.0.log
-rw-r--r-- 1 dasadm sapsys 4749 Oct 6 18:49 smd.0.connector.listener.log
-rw-r--r-- 1 dasadm sapsys 689 Oct 6 18:49 e2emai.0.log
-rw-r--r-- 1 dasadm sapsys 622 Oct 6 18:49 e2edcc_iis.0.log
drwxr-xr-x 2 dasadm sapsys 4096 Oct 6 18:49 .
-rw-r--r-- 1 dasadm sapsys 9688 Oct 6 19:37 SMDAgentApplication.0.log
-rw-r--r-- 1 dasadm sapsys 109497 Oct 6 21:04 e2edcc_host.0.log
-rwxr-xr-x 1 dasadm sapsys 166874 Oct 6 21:04 SMDSystem.0.log
-rwxr-xr-x 1 dasadm sapsys 530335 Oct 6 21:04 smdagent_trace.0.trc
-rw-r--r-- 1 dasadm sapsys 31169 Oct 6 21:04 e2edcc_db.0.log
-rw-r--r-- 1 dasadm sapsys 142068 Oct 6 21:04 e2edcc.0.log
# if you not see all these files, then the script smdsetup.sh was executed incorrectly!
Check in the Agent Administration that the Agent is available and you can trust the Agent.
/webdynpro/dispatcher/sap.com/tc~smd~server~agent~admin/SMDAgentAdminApplication
Connection Status – Agent Administration
If the Agent Administration cannot determine the Status, check the User/Passwords in the Agent Administration Application Tab.
com.sap.smd.agent.application.connectors
com.sap.smd.agent.application.global.configuration
com.sap.smd.agent.application.connectors
com.sap.smd.agent.application.global.configuration
Diagnostic Agents – Overview
Finally, the configuration should look like this (alternative you can use the MS/P4 Server Connection for the SolMan Configuration). Here you can switch also to P4S (P4 SSL), and keep in mind that these type of connection is not suitable for cluster installations.
Diagnostic Agent Connectivity – MS/P4
Diagnostic Agent Connectivity – P4 SSL
Diagnostic Administration successfully enabled
Advanced Agent Administration
Wiki – Diagnostics Agent and HA Support
Configure Agents on-the-fly for FRUN
Starting with SP 14 for SolMan 7.2, you can update the cipher suites with elliptic curve algorithms ECDHE and ECDSA for outbound connections in SAP NetWeaver (NW) AS Java. The settings from the following Note are still possible, however it is suitable to switch them to the new values – SSLContext.properties
Note 2708581 – ECC Support for Outbound Connections in SAP NW AS Java
Note 3144145 – How to support Elliptic Curve Algorithms in Diagnostics Agent
# edit the following file and add the lines to the existing entry
/usr/sap/DAS/SMDA98/SMDAgent/smdagent.properties
smdagent.javaParameters=-DP4ClassLoad=P4Connection -Xmx256m -Xms256m -XX:MaxPermSize=128m
-Djdk.tls.client.protocols="TLSv1.2"
-Diaik.security.ssl.configFile=file:/usr/sap/DAS/SMDA98/SMDAgent/SSLContext.properties
#
# edit the following file and uncomment the line
/usr/sap/DAS/SYS/exe/jvm/linuxx86_64/sapjvm_8.1.080/sapjvm_8/jre/lib/security/java.security
crypto.policy=unlimited
You can check the correct configuration after restarting the Diagnostic Agent Service in the Advanced Settings of the Agent Administration Web Page against an existing which supports the new cipher settings, e.g.
- the Service NOW Homepage – https://itsm.services.sap:443/
- how is my SSL, we really mean “TLS” – https://www.howsmyssl.com:443/
Check the SSL Context Properties with your Diagnostic Agent
Typical Error Messages assigned to this Task
com.sap.smd.agent.facade.hostagent.HostAgentNotAvailableException: HostAgent stub com.sap.smd.agent.wsclients.jax.saphostcontrol.SAPHostControlInterfaceexecuteOperation failed.
Exception: javax.naming.NoPermissionException:
Exception during getInitialContext operation. Wrong security principal/credentials. [Root exception is com.sap.engine.services.security.exceptions.BaseLoginException: Login failed.]
CX_SOAP_CORE : Error when calling SOAP Runtime functions:
SOAP-ENV:Serverjava.lang.NullPointerException: while trying to invoke the method javax.management.openmbean.CompositeData.get(java.lang.String) of a null object loaded from local variable 'point'java.lang.NullPointerException: while trying to invoke the method javax.management.openmbean.CompositeData.get(java.lang.String) of a null object loaded from local variable 'point'
P4 connection to Solution Manager Diagnostics (SMD) server failed
Connecting to SMD server ms://server.domain.ext:8019/P4 failed
Unable to create SSLContext because of KeyStore Exception java.security.UnrecoverableKeyException: Cannot recover key.)
Unable to open SSL connection to host "itsm.services.sap:443"
SAP Notes assign to the Task/Topic (way too much “Jugend forscht”:
Note 1786051 – Configuration check for managed system returns “No FQDN found in Host”
Note 1799138 – Configuration check returns “The definition of Technical System ‘{SID}~{STACK}’ is not correct: ‘{SID}~{STACK}’ : Operating System ‘{OSName}’ of Host ‘{hostname}’ must have at least one Software Component Version” – SolMan
Note 1822831 – Web Service Soap Errors in solman_setup
Note 1862333 – Common Host Agent issues displayed in Agent Administration
Note 2183995 – Data Supplier Processing in SAP Solution Manager 7.2 in LMDB
Note 2187696 – CCMS agent disabled: AS Java System Overview gray lights
Note 2201640 – The definition of Technical System ‘<SID>~HANADB’ is not correct: ‘<SID>~HANADB’: Technical System must be installed on at least one Host.
Note 2414713 – The definition of Technical System <SID~TYPE> is not correct. No instance found under installed Technical System
Note 2436986 – Registration and Managed System Setup of SAP HANA in SAP Solution Manager
Note 2499629 – Manual activities in LMDB when switching the Outside Discovery by Diagnostic Agent to Outside Discovery by SAP Host Agent
Note 2554489 – Register AS ABAP system to SLD in RZ70 using HTTP connection with path prefix “/sld” doesn’t work
Note 2556432 – Switch Outside Discovery from Diagnostics Agent to SAP Host Agent
Note 2637838 – NWA “System Overview” shows grey lights and N/A status – Best Practices for Troubleshooting
Note 2836143 – How to directly register managed system to LMDB in SAP Solution Manager
Note 3054925 – Skip RFC connection error message in RZ70 when HTTP connection is maintained
Note 3073139 – SLD registration is deactivated due to incomplete calling parameters.
Note 3076443 – SAP Host Agent 7.22 PL53
Note 3090021 – Error ‘<SID>~ABAP’: Operating System ‘Linux~<version>’ of Host ‘<hostname>’ must have at least one Software Component Version
Note 3092345 – Define CA Introscope: wrong Diagnostics Agent
Note 2284059 – Update of SSL library within NW Java server
Note 2463712 – Diagnostics Agent TLS 1.2
Note 2538934 – Handshake is failing in AS Java when connecting to a server which only supports TLS_ECDHE ciphers
Note 2569156 – How to create, modify and validate SSLContext.properties file
Note 2616092 – System availability checks: Unable to open SSL connection to host “host:port”. KeyStore
Note 2708581 – ECC Support for Outbound Connections in SAP NW AS Java
Note 2817129 – The Diagnostic Agent continues to use TLS 1.1 even with the TLS 1.2 set in the parameters
Note 2893335 – AS Java TLS handshake failure – unsupported extension
Note 2849162 – Enable the Diagnostics Agent to Support Additional SSL Cipher Suites for IAIK-based Connections
Note 2951143 – java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer!
Roland Kramer, SAP Platform Architect for Intelligent Data & Analytics, SAP SE
@SAPFirstGuidance
“I have no special talent, I am only passionately curious.”
January 27, 2022 at 4:48 pm
Hello Roland,
thank you for the helpful overview. Some remarks from my side:
Kind regards
Tim
January 27, 2022 at 5:12 pm
Hello Tim,
Thanks for the immediate feedback, appreciated.
the reason why I have used the HTTP SCS Message Server Port and not the HTTPS Port, is fairly simple: mostly the correct TLS/SSL configuration is not in place and must be available in advance.
Blog – demystifying TLS/SSL Settings for NetWeaver
All other issues are handled in the main Blog – SAP MacGyver – Installing SAP SolMan 7.2 where I explicitly mention to check all users in advance before continuing the SolMan Setup and switch the user type “Service” to avoid Password Changes and Locks.
Furthermore the switch to P4S or P4 SSL is only possible, when these pre requisites are fulfilled. However Customers want to activate maximum security and P4 connections are not suitable for Cluster Installation and this annoying Information Message will not disappear.
The Agent on-the-fly Configuration is only necessary for FRUN Implementation, SolMan 7.2 can deal without it. Also for the Discovery of SAP IQ Databases it is not necessary and can cause Misunderstandings with the “Simple Diagnostic Agent” Installation (in my opinion)
SAP First Guidance – SAP NLS Solution with SAP IQ 16.x