New client copy tools

As of SAP basis version 7.54 (which is ABAP version below S/4HANA 1909) a new set of client copy tools can be used.

Questions that will be answered in this blog are:

  • What are the version requirements of the new client copy tools?
  • What are the highlights of the new client copy tools?
  • How do I estimate the size of a client to copy?
  • How to run the new client copy tools?

Highlights of the new client copy tools

The main OSS note for the new client copy tools is 2962811 – New Client Copy Tool: General Information. And 2953662 – Recommendations for remote client copy performance improvements in S/4HANA.

Some highlights:

  • Native HANA support
  • Parallel processing of very large tables
  • SAP* in client 000 no longer needed: but still recommendation to use client 000
  • Option to use client copies with task list transaction STC01

Client size estimation

Transaction SCC_CLIENT_SIZE is a new transaction that can be used to estimate the size of a client:

Pending on your size run online or in batch mode. Result:

Client copy with new tool

In this example we first create the new client number 123 in transaction SCC4:

Now we can start transaction SCCLN for the new client copy tool:

And execute. Wait until done:

Remote client copy

Transaction SCC9N can be used for a remote client copy using the new tools:

Client deletion

Transaction SCC5N can be used for client deletion:

Bug fix OSS notes

Please check and apply following bug fix OSS notes for these new tools:

S4HANA upgrade preparation steps for simplification items

This blog will explain on the S4HANA upgrade preparation steps for the simplification items.

Questions that will be answered are:

  • How to prepare for the S4HANA upgrade?
  • How to get an overview on the S4HANA preparation items that need action?
  • How to re-run a single S4HANA preparation item check?

For more information on other preparation steps:

  1. For S4HANA conversion (start is ECC): read this blog
  2. For S4HANA upgrade (start is lower S4HANA version): read this blog

Upgrade pre-check OSS notes

Before you can start the upgrade install the pre-check OSS notes. First install OSS note 2399707 – Simplification Item Check. This might seem an old note, but it is constantly updated. If you did do the S4HANA readiness check before this note is already installed. But still always download and install the most recent version of this note. The second OSS note is 2502552 – S4TC – SAP S/4HANA Conversion & Upgrade new Simplification Item Checks.

These are TCI notes. During the implementation, you might need to clear all BI queues.

Per S4HANA version there is a third OSS note to apply. This note is different per S4HANA and feature pack version.

The OSS note for S4HANA 2020 is 2910131 – SAP S/4HANA 2020 Initial Shipment Stack Conversion & Upgrade – TCI Note #9. For S4HANA 2021: 3028788 – SAP S/4HANA 2021 Conversion & Upgrade checks – TCI Note #10. For S4HANA 2022: 3143951 – SAP S/4HANA 2022 Conversion & Upgrade checks – TCI Note #11. Also these are TCI notes.

For the functional preparation: 3226469 – SAP S/4HANA 2022 – application specific notes in system conversion / release upgrade preparation phase. And after the upgrade: 3226548 – SAP S/4HANA 2022 – application specific notes in system conversion / release upgrade follow-on phase.

Running the pre-checks

Start program /SDF/RC_START_CHECK. First update the catalog:

And check that the OSS notes are up-to-date:

After updating the OSS notes all lights should be green:

Then select the right Target SAP S/4HANA Version and run the program.

This run might take a while based on the performance of your system and the size of your database.

You now get an overview list of the items:

The top one is the famous CVI (Customer Vendor Integration). Now select all the items and press the button Check Consistency for All, to get all the details (again this might take a while). Per item you get the details on the fixes required:

The red items need to be fixed.

There are some items you can exempt. Judge carefully first before applying the exemption. This exemption function is only available in the first overview screen.

Check single item again

You can use program /SDF/RC_TROUBLE_SHOOT to run a single check again. As input you need to provide the full text of the Simplification ID:

This way, you don’t need to wait for the complete run to finish.

DTV tool

Consider the use of the DTV tool (data transition validation) for the real migration testing and execution.

Client 001 and 066

Some of the checks might return items in clients 001 and 066. For an S4HANA upgrade these need to be deleted. In stead of fixing the issues in these clients, delete them. See more about this deletion in this dedicated blog.

The real S4HANA upgrade

The SUM tool will execute the real S4HANA upgrade. It will call the same /SDF/RC_START_CHECK program. SUM tool will abort if even a single item is not ok.

ACF: Active Component Framework

SAP uses the ACF (Active Component Framework) in some solutions to provide extra functionality between the desktop and the SAP system.

This framework is known to be troublesome. If possible avoid the usage. If you cannot avoid it, use this blog for know fixes.

Questions that will be answered are:

  • Why avoid the use of the ACF framework?
  • Which use cases can already avoid ACF framework?
  • What are know issues of the ACF framework?
  • What are trouble shooting OSS notes for the ACF framework?

Why to avoid the ACF framework?

The ACF framework relies on a separate installation file on the desktop of the end user. In the default scenario, this file is present on the SAP server and will be pushed to the end user when needed. But most of the desktop software settings on the users desktop will block this file for security reasons. This will force you to distribute these files via the desktop team. After a support pack or upgrade, the ACF file gets renewed and again you have to take care. The ACF framework also depends on the JAVA versions installed on the desktop and the browser.

The ACF framework is known to be delivering nasty issues which are hard to tackle and solve. Any software change on the desktop can lead to issues with the ACF framework.

Avoid the use if possible.

Actions to move away from ACF usage

If you use ACF in the contect of PLMWUI, follow these instructions in OSS note 2879616 – Steps to configure ACF Replacement functionality in PLM WebUI to have the same functionality without ACF.

For the ABAP upload/download use case of ACF, follow the instructions in OSS note 2438690 – Moving to a Plugin-Free Web and ACF file Upload/Download/Execute component.

If you use SAP solution manager documentation (SOLDOC), apply OSS note 3009338 – SOLDOC: SAP GUI office Integration to shift from ACF to normal browser support.

ACF version and distribution

You can determine you current ACF version by following the instructions in OSS note 1481194 – Determination of ACF version.

Installation and download instructions of the ACF files are described in OSS note 766191 – Installation of Active Component Framework. Prerequisites for running ACF are listed in OSS note 1150277 – Prerequisites for using ACF.

Automatic download or installation considerations are described in OSS note 1488874 – ACF – automatic download or installation.

If you update your browser, or use Citrix, read this OSS note 1766401 – ACF: Switch to new operating system or Internet Explorer.

Patch history of ACF is listed in OSS note 1878583 – ACF: File upload/download/execute patch history.

ACF troubleshooting

For ACF troubleshooting, check the following OSS notes:

Idoc tips & tricks

This blog will give tips & tricks on working with idocs.

Questions that will be answered are:

  • How can I actively monitor idocs?
  • How can I reprocess idocs in error?
  • How to process idocs in collect mode?
  • How can I search the business content of idocs?
  • How to execute technical consistency check for the idoc settings?
  • How can I clean up idocs?
  • How can I force a change of idoc status?

Idoc search and listing

Next to WE02 and WE05, you can use transaction WLF_IDOC to list idocs. WLF_IDOC can also scan the idocs for content. Read more on WLF_IDOC in this blog.

WE06 active idoc monitoring

Transaction WE06 can be used to setup active idoc monitoring. If idocs are running into delay for certain status, you can send workflow:

You need to activate the ALARM message workflow: this is a work item of the TS74508518 standard task.

Read the full SAP help for more details.

WE09 search idoc for business content

Transaction WE09 can be used to search idocs for business content:

Short instruction on how to use WE09 is documented in OSS note 1823081 – WE09 – criteria for searching in data records.

A search function is also available in transaction WLF_IDOC.

Set idoc status

Program RC1_IDOC_SET_STATUS can be used to change an idoc status:

This program is meant to run on non-production systems. Take special care and think twice before running this program on a productive system.

Technical consistency check

You can use transaction BDM5 to execute a technical consistency check for your idoc configuration:

Per item a lot of sanity checks are performed:

Processing inbound idocs that are on collect

You can use transaction BD20 to process inbound idocs with partner profile on collect (idocs status 64):

You can also schedule the program RBDAPP01 in batch to process the idocs in status 64 periodically.

When you post too many idocs too fast with immediate processing, the SAP system might get overloaded and will leave the idocs in status 64. In this case best to switch to collect mode and plan the program RBDAPP01 periodically for processing. See more in OSS note 1872637 – Delays posting inbound IDocs (status 64) which have been configured to trigger immediately.

Bug fix OSS note for RBDAPP01: 2795034 – RBDAPP01 – selection of IDocs that have not yet been completely saved (dirty read).

For parallel processing read this note: 2697762 – ALE: Maximum processes for processing.

Idocs remaining on status 64

In weird cases inbound idocs with partner profile set to process immediately remain in status 64.

Potential root causes:

Sending outbound idocs that are on collect

If you have configured outbound idocs to be collected, the idocs remain in status 30 until they are to be sent out. The sending can be done with transaction WE14 or by batch job of program RSEOUT00:

Recent bug note on RSEOUT00: 2747015 – IDoc: Locks in IDoc outbound processing.

Custom idoc processing remains in status 30

If you have custom idocs or custom idoc processing and you call function module MASTER_IDOC_DISTRIBUTE for the outbound distribution, the idocs might get stuck in status 30, even if you set the partner profile to immediate processing. If this is the case, read OSS note 1575852 – Outbound IDocs remain in status 30. This solution provided might seem strange, but it does work:

Implement the following “triple” into your program that creates the idocs:

  CALL FUNCTION ‘DB_COMMIT’.
  CALL FUNCTION ‘DEQUEUE_ALL’.
  COMMIT WORK.

Checking that outbound idocs have passed RFC layer

If there are issues with outbound idocs, most likely it is because they are stuck in the RFC layer. You can check this with transaction SM58.

You can use transaction BD75 to convert the idocs from status 03 to status 12. Status 12 means that they have correctly passed the RFC layer. The program behind BD75 is RBDMOIND, which can also be planned in a batch job:

Reprocessing failed inbound and outbound idocs with technical errors

If outbound idocs fail with technical errors like 02, 25, 26, 29: first correct the technical setup error. When the setup is fixed, you can use transaction BD83 to reprocess the failed idocs (in stead of regenerating them):

If inbound idocs fail with technical errors like 56, 61 , 63: first correct the technical setup error. When the setup is fixed, you can use transaction BD84 to reprocess the failed idocs (in stead of asking the sender to send them again):

Planning these programs in batch job is not a good idea. Fix the root cause, then this reprocessing is not required any more in the future.

Reprocessing edited idocs

If you have edited idocs and want to reprocess them again, use transaction WPIE to start the processing:

Reprocessing inbound idocs in status 51

You can use program RBDMANI2 to reprocess idocs in status 51 (error in functionality):

This program is usually run in background mode as well in productive system. In a productive system don’t run it too frequently, since very try will add a new status 51. Therefore also limit the amount of days of history you want to reprocess automatically. Do use the option to filter on message class and number, to reprocess only selective messages for selective message type. The most common use is to reprocess idocs that could not be processed due to another user locking the data.

This might result into a couple of variants, or even a couple of different batch jobs running at different frequencies for reprocessing different message types.

If the reprocessing takes long time, read OSS note 2524675 – Long processing time when processing IDocs in status 51. This basically tells you to start deleting or archiving idocs.

Idoc clean up

Transaction WE11 can be used to delete idocs. If you want to archive idocs, you can use archiving object IDOC. See OSS note 40088 – Deletion or reorganization of IDocs, or this blog on technical clean up.

Checking RFC security settings

RFC security is a cumbersome job. There are programs to help speed up the security checks for RFC connections.

Questions that will be answered in this blog:

  • How to quickly check all the RFC’s in my system?
  • How to quickly check the trusted RFC’s in my system?

Hacking using RFC connections

RFC callback hacking: read this blog.

RFC jump hacking: read this blog.

Check RFC connections

Program RSRFCCHK (which also has the same transaction code RSRFCCHK) can quickly scan all your RFC’s. In the selection screen, please make sure to select the 2 extra boxes for “Also check RFC destinations without explicit password” and the “Select destinations without target system too”:

The connection test is optional. But if the RFC is not working, then you might consider it old and no longer needed. In this case you can perform the clean up by deleting the RFC.

The output of the report RSRFCCHK, you can use to look for:

  • RFC’s with personal user ID
  • Cross system layer RFC’s (from production to development, or from development to production)
  • Trusted connections where you don’t expect them
  • Old destinations no longer in use
As a best practice at least yearly check on every system the RFC's that are setup there. Read this blog on how easy it is to use wrongly configured RFC's to hack a system.

OSS notes: 3283474 – Adjustment of authorization for program RSRFCCHK.

Check trusted connections

To check trusted connections run program RS_SECURITY_TRUST_RELATIONS. Output example:

The red lights should be investigated and fixed.

More on setting up trusted RFC’s is written in this blog.

SAP standard on RFC security

OSS note 2008727 – Securing Remote Function Calls (RFC) contains a very extensive PDF explaining all ins and outs on RFC security.

SAP icons

SAP uses many icons in the SAP GUI and on their web applications. This blog will explain how to find them.

Questions that will be answered in this blog are:

  • How can I find SAP icon codes for SAP GUI use?
  • How can I find icons for SAP web applications and FIORI?

Icons in SAP GUI

To get a list of icons in SAP GUI, start transaction ICON:

If you want to search more specific or have a different sorting, you can start report SHOWICON:

With result screen:

Another icon program is RSTXICON:

SAP web applications

There is also an online icon explorer for SAP web applications and FIORI. Follow this URL:

and detailed screen:

BRF+ transport issues

BRF+ rules are nice for developers to use, but can give you some serious issues at transport level.

Questions that will be answered in this blog are:

  • Which tools and analysis programs are available in case I have issues with BRF+ transports?
  • How to recognize BRF+ transport issues?
  • Which relevant OSS notes to check in case of transport issues?

BRF+ transport issue detection

BRF+ rules can cause both issues at export (RC-8) and at import (RC-8 or content not updated while transport shows RC-0 or RC-4). Check the transport for BRF+ rules: they start with FDT.

Troubleshooting BRF+ with FDT_HELPERS

The main basis troubleshooting transaction is FDT_HELPERS.

FDT helpers start screen

It contains many tools that can assist in issue solving.

BRF+ transport issue support programs

BRF+ versioning and transport information is not displayed by default. You have to switch to expert mode first. See OSS note 2830979 – Versioning and transport information missing in the BRF+ workbench.

Support program FDT_TRANS can be used to put BRF+ rule into a transport (the person that runs this program must be owner of the transport as well):

FDT_TRANS

For mass checking run program FDT_TRANS_MASS_CHECK:

FDT_TRANS_MASS_CHECK

RC-8 upon export

If somebody is still in Edit mode in the BRF+ transport you want to release, then the transport export of the BRF+ transport will end in an RC-8. This is quite hard to detect in the RC-8 export log of the transport. So in case you are faced with export RC-8 of BRF+: ask everybody to go away from the BRF+ edit modes and re-export the transport.

Transport issue OSS notes

You can also check the following OSS notes:

EWA workspace

SAP Eearly Watch Alerts (EWA) has always been a primary tool delivered by SAP for system administrators to get an automated report on their SAP system.

The last few years SAP has been working very hard to get the EWA online as part of the support.sap.com pages. This development is now so far and good, that you can consider to switch using the online EWA workspace in stead of the EWA’s generated by your local solution manager system.

Questions that will be answered in this blog are:

  • How to access the online EWA workspace?
  • Can I still get my EWA in PDF or word format?
  • What are extra functions the online EWA workspace offers versus the traditional EWA?
  • Can I set up e-mails for EWA workspace to receive early watches?
  • Can I get an overview of all the alerts across all EWA’s?

EWA workspace

The EWA workspace can be reached on this URL: https://launchpad.support.sap.com/#/ewaworkspace.

The first page is the overview page:

By clicking on the tiles you can zoom in on the diverse topics.

EWA for single system

In the overall rating tile, you can click on the donut graph to goto the list of separate EWA’s:

Here you can open the word or PDF doc, or by clicking on the line goto the online EWA for the single system:

On each topic you can zoom in by clicking on the line:

Sending EWA data to SAP

To get the information to SAP still the local SAP solution manager system (or Focused Run, see this blog) is used to collect the data, and submit it to the SAP market place. In the past the sending was once per month. With the switch to the new backbone infrastructure this is now once per week. If the EWA is not received on SAP EWA workspace page, please check the reference OSS notes in OSS note 1684537 – EarlyWatch Alert not sent to SAP: troubleshooting guide.

Setting up mails on EWA workspace

Follow the instructions of OSS note 2530034 – How to set up e-mail, SMS, and/or launchpad notifications – SAP ONE Support Launchpad to setup mail notifications for the SAP early alert workspace. You can also read these instructions from the SAP Focused Run expert portal, which are very clear: link.

EWA Alert solutions

In me.sap.com there is a special tile which has an overview of all the alerts of all EWA’s: the EWA alert solution page. Read more on this useful tool in this blog.

Background on EWA workspace

The primary background site about the EWA workspace can be found here.

A great start for first users is this blog on the effective use of EWA workspace.

One of the functions on EWA workspace that add value over the traditional EWA is the performance evaluation. Read more on this SAP blog.

EWA tips & tricks

More on EWA tips & tricks in this dedicated blog.

SAP logon user exit hack

In SAP there is a user exit just behind the logon of a user. This can be used correctly, but also used for hacking.

Questions that will be answered in this blog are:

  • How to switch on the user exit after logon?
  • What is good use of the user exit after logon?
  • How to use the user exit for hacking?

Activation of the user exit

In transaction SMOD you can call up user exit SUSR0001:

This exit has only one component:

Double click on the exit to go to the Z code include:

To activate the exit, create a project in CMOD and and include this enhancement. Then double click on the include code ZXUSRU01 to activate the code.

Good use of the user exit

The user exit itself is described in OSS note 37724 – Customer exits in SAP logon. Example of good use it to restrict multiple logons in case you cannot switch on parameter login/disable_multi_gui_login. See OSS note 142724 – Prevention of multiple SAPGUI logons.

The exit is also used a lot by GRC and firefighter type of tools.

For ITS webgui the calling of the logon user-exit can be skipped with a URL parameter. See OSS note 1465767 – Logon user exit SUSR0001 not called.

The user exit logon hack

In the user exit code, you can put in your own stuff.

As hacking example: copy function module PASSWORDCHECK and the screen that belongs to it to your own ZPASSWORDCHECK.

Modify the screen logic a bit. This is the original code:

Now change the code: the password is always reported back as ok. And the user input you catch in the field password is yours: you can mail it or store it somewhere for you to pick up later.

Put the altered code in the user-exit with logic:

IF SY-UNAME = 'target user name' and not capture before.    
  CALL Z function ZPASSWORDCHECK.    
  Store capturing.     
  Set capture flag.
ENDIF.

This looks as follows at runtime:

Many end users (and even auditors) will enter their password without thinking twice.

Alternatively you can use function module POPUP_GET_USER_PASSWORD as a basis for your copy: this has also clear text password:

The password field can be stored.

This has the following look and feel:

Detection and protection

It is wise to shield off this user exit from improper use and to yearly check the content of what is inside this user exit.

SAP pathfinder

SAP pathfinder is an SAP tool to give you insights into your system and let SAP tell you where they think you can improve, optimise and innovate.

Questions that will be answered in this blog are:

  • What is SAP pathfinder?
  • How do I run it?
  • Can I see a sample report of what I will get?

SAP pathfinder will most likely by succeeded by Signavio process insights. Read this blog for more information on Signavio process insights, discovery edition.

SAP pathfinder

SAP pathfinder is part of the innovation and value support part of SAP. The full background can be read on the SAP pathfinder site. This site includes video’s that explain everything.

On this site you can also find an example output report.

Background OSS notes:

How to run SAP pathfinder?

Apply 2 OSS notes: 2758146 and 2745851.

Move the OSS notes to your productive system and run program RC_VALUE_DISCOVERY_COLL_DATA:

Let the analysis run and then download the data. To do that start the program again and push the Download Analysis Data button.

You will need as well a PDF copy of your production system EWA.

If you have the files, upload them at the SAP site, confirm, and wait about 1 to 2 weeks before SAP has finished your report.

Main screen shot from the sample:

In case of issues you can read the troubleshooting guide: 2977422 – Process Discovery (evolution of SAP Business Scenario Recommendations) & SAP Pathfinder report – troubleshooting guide.

Read more in OSS note 2918818 – Usage and Performance Data Collection for Process Discovery (evolution of SAP Business Scenario Recommendations) and SAP Innovation and Optimization Pathfinder on Spotlight on the inclusion of usage and performance data.