Hybrid Cloud: SAP and IBM Bluemix HYBRID … Cloud: SAP and IBM Bluemix 1 ... which exposes the SAP...
-
Upload
phungduong -
Category
Documents
-
view
225 -
download
3
Transcript of Hybrid Cloud: SAP and IBM Bluemix HYBRID … Cloud: SAP and IBM Bluemix 1 ... which exposes the SAP...
Hybrid Cloud: SAP and IBM Bluemix
1
HYBRID CLOUD: SAP AND IBM BLUEMIX
PI 7.50 INSTALLATION, PI DEMO SETUP AND IBM
BLUEMIX ACCESS Volker Schoelles, SAP on IBM z Systems Development, IBM Research & Development, Boeblingen, Germany
The objective of this effort was to build a ‘mobile Flight’ App in Bluemix®. This ‘mobile Flight’ App can search, list and even book
flights. The mobile client part of the ‘Flight’ App can run under iOS or Android operated mobile devices (like iPhone, Galaxy, or
others). The ‘Flight’ App server is running on the IBM MobileFirst™ Platform (MFP) under Bluemix. The App accesses flight data of
an “SAP on IBM® z Systems®” Process Integration (PI) system.
The following documents the setup of the necessary infrastructure to allow the Bluemix App access to data of the SAP PI Demo
scenarios. These scenarios show the PI usage for flight searching, listing and booking for a travel agency working with different
airlines and their SAP systems.
This is a Hybrid Cloud scenario. It describes how to setup the infrastructure to enable a Bluemix (Cloud) MobileFirst App to access
data of an SAP Process Integration on-premise system. Access to SAP data is through the SAP NetWeaver Gateway which exposes
demo data thru OData services. On the other side, the Bluemix Secure Gateway service which runs on a Ubuntu on z Systems LPAR,
needs to be set up to allow the Bluemix MFP ‘Flight’ App access to the SAP NetWeaver Gateway.
The demo data is defined within several PI Demo scenarios which include a travel agency booking flights of two different airlines.
Hybrid Cloud: SAP and IBM Bluemix
2
CONTENTS
Overview .................................................................................................................................................................................................... 3
PI ABAP Stack Installation with SWPM 1.0 SP17 ........................................................................................................................................ 5
PI Java Stack installation .......................................................................................................................................................................... 12
PI Demo setup .......................................................................................................................................................................................... 27
Activate SAP NetWeaver Gateway and publish the service for the PI Demo .......................................................................................... 68
Install a Bluemix Secure Gateway under Ubuntu for IBM z Systems ....................................................................................................... 73
Hybrid Cloud: SAP and IBM Bluemix
3
OVERVIEW
A mobile device accesses the IBM MobileFirst cloud service. The MobileFirst cloud implementation uses an SAP adapter to talk with
the Bluemix Secure Gateway service. This service opens a secure communication path to the Ubuntu Secure Gateway client running
in the Demilitarized Zone (DMZ). The Secure Gateway client opens a tunnel thru another firewall to the SAP NetWeaver Gateway
which exposes the SAP flight demo data as an OData service.
In the overview figure the mentioned infrastructure components are marked by red ovals and the communication path by a red
arrow.
A more detailed view of the communication is shown in the next figure.
Hybrid Cloud: SAP and IBM Bluemix
4
The SAP PI on IBM z Systems (or any other supported platform) running on-premise is on the right side of the figure. The SAP
NetWeaver Gateway is part of the ABAP stack of the PI 7.50 system. It is running under SUSE Linux Enterprise Server (SLES). The
SAP Application and the NetWeaver Gateway sit behind a firewall which allows communication via the standard port of the SAP
Internet Connection Manager (ICMAN).
The Bluemix Secure Gateway (BSGw) client is running on an Ubuntu Linux on another system in the Demilitarized Zone (DMZ). The
BSGw client talks to the SAP system on one side, and on the other side thru another firewall with its BSGw server running in the
Bluemix cloud. For secure https communication, the standard 443 port is used.
A MobileFirst App deployed in Bluemix can now talk to the BSGw server to get data from or put data on the SAP on-premise backend
via an SAP adapter.
These steps in setting up this infrastructure are described:
First, the installation of an SAP 7.50 PI system: The SAP installation documentation used is listed, but its information is not
repeated here. Only the problems that occurred during the process and how they were solved are described. Also, not all
input is shown in the screen shots. It is assumed that the installer has some experience in installing SAP on IBM z Systems.
Next, the setup of the PI Demo scenarios is described. Again, the SAP documentation is not repeated, only the issues and
their solutions.
Part three describes how to activate the SAP NetWeaver Gateway and how to publish the OData service for the PI Demo
scenarios.
The last part shows how to setup and configure the Bluemix Secure Gateway client under Ubuntu for z Systems. This client
is needed and used when defining a Bluemix Secure Gateway Service.
DMZ
Hybrid Cloud: SAP and IBM Bluemix
5
ABAP STACK INSTALLATION WITH SWPM 1.0 SP17
SAP documentation used:
Installation Guide
Software Provisioning Manager 1.0
Document Version: 2.3 – 2016-06-06
Installation of SAP Systems Based on the Application Server ABAP of
SAP NetWeaver 7.1 to 7.5 on UNIX: IBM DB2 for z/OS
Link to current version 2.4: ABAP Installation Guide 2.4
The database was already installed. Its installation is not documented here.
Ran the SAP installation tool in a GUI (for example VNCclient) session. The SAP installation media was unpacked with the SAPCAR
utility as shown:
ihlscob6:/tmp/sapinst_instdir # /usr/sap/ZDE/SYS/exe/uc/linuxs390x/SAPCAR -xvf
/common/sapdvds/zscsinst_test/SWPM10SP17/zLin/SWPM/SWPM10SP17_0-20009612.SAR
ihlscob6:/tmp/sapinst_instdir # ./sapinst
Selected the ABAP ‘Standard System’ as shown below:
Used SID “ZPI” and set the ‘Global Password’.
Hybrid Cloud: SAP and IBM Bluemix
6
The CLI Driver location in this case was:
ihlscob6:/common/DB2_Connect/V111_FP0_SB35553/LINUX_S390X_64/clidriver # clidriver.SAR
Note that /common is an NFS mounted file system. Its exporting NFS server runs under Linux on z Systems.
Next step was the collection of the database specific input for the DB2 connect parameters.
In our case, they were derived from our Database Provisioning System (DPS): Resources DB2 Subsystems Communication.
Hint: You probably have to request them from your DB2 database administrator.
Hybrid Cloud: SAP and IBM Bluemix
7
SAP DVDs were located in below directory after being downloaded from SAP Marketplace:
Hybrid Cloud: SAP and IBM Bluemix
9
For simplicity the installation was done with a local SLD.
The “Summary” screenshots are not shown here. The installation started.
The error occurred that a DB2 package was not found:
ihlscob6:/tmp/sapinst_instdir/NW750/DB2/INSTALL/STD/ABAP # cat R3load.exe.log
Hybrid Cloud: SAP and IBM Bluemix
10
/usr/sap/ZPI/SYS/exe/uc/linuxs390x/R3load: START OF LOG: 20160726163601
(BLD) INFO: sccsid "@(#) $Id: //bas/745_STACK/src/R3ld/R3load/R3ldmain.c#4 $ SAP"
(BLD) INFO: kernel release 745 [UNICODE]
(BLD) INFO: data format 1.8
(BLD) INFO: patch number 201
(BLD) INFO: compiled on "Jul 11 2016 10:48:58"
(PRC) INFO: working directory "/tmp/sapinst_instdir/NW750/DB2/INSTALL/STD/ABAP"
(PRC) INFO: called "/usr/sap/ZPI/SYS/exe/uc/linuxs390x/R3load -testconnect"
(PRC) INFO: process id 35490
(LOG) INFO: log level: 1
(LOG) INFO: log format: classic
DbSl Trace: DB2 Call 'SQLExecDirectW' Error: SQLCODE = -805 : [IBM][CLI Driver][DB2] SQL0805N
Package "COBZP75.SAP1101U.SYSLH100.5359534C564C3031" was not found. SQLSTATE=51002
(DB) ERROR: db_connect rc = 256
DbSl Trace: DB2 Call 'SQLExecDirectW' Error: SQLCODE = -805 : [IBM][CLI Driver][DB2] SQL0805N
Package "COBZP75.SAP1101U.SYSLH100.5359534C564C3031" was not found. SQLSTATE=51002
(DB) ERROR: DbSlErrorMsg rc = 99
/usr/sap/ZPI/SYS/exe/uc/linuxs390x/R3load: job finished with 1 error(s)
(STAT) DATABASE times: 0.304/0.026/0.026 100.0%/100.0%/100.0% real/usr/sys.
/usr/sap/ZPI/SYS/exe/uc/linuxs390x/R3load: END OF LOG: 20160726163601
Added the Package / Collection ID manually with db2radm utility:
/sapmnt/ZPI/exe/uc/linuxs390x/db2radm -m db2i -P 11003 -L COBZP75 -H boecob3h -C SAP1101U -u VSCH -p ******** -W
primary_only
The installation finished successfully:
Hybrid Cloud: SAP and IBM Bluemix
11
After the installation it is necessary to do the initial setup steps as described in:
https://websmp103.sap-ag.de/~sapidb/012002523100010638182014E : (Automated Initial Setup of Systems Based on SAP
NetWeaver ABAP)
/nstc01:
SAP_BASIS_SETUP_INITIAL_CONFIG
SAP_BASIS_SYSTEM_CONFIG_CHECK
SAP_BASIS_SSL_CHECK
Hybrid Cloud: SAP and IBM Bluemix
12
JAVA STACK INSTALLATION
SAP documentation used:
Installation Guide
Software Provisioning Manager 1.0
Document Version: 2.3 – 2016-06-06
Installation of SAP Systems Based on the Application Server Java of
SAP NetWeaver 7.1 to 7.5 on UNIX: IBM DB2 for z/OS
Link to current version 2.4: Java Installation Guide 2.4
Ran sapinst as described above for ABAP installation. Selected Java ‘Standard System’ as shown below:
Hybrid Cloud: SAP and IBM Bluemix
14
SAPJVM8.SAR could be found in:
ihlscob6:/common/sapdvds/Kernel_zLin_745/DATA_UNITS/K_745_U_LINUX_S390X_64/DBINDEP # ls -l
SAPJVM8.SAR
-r-xr-xr-x 1 root root 282537666 Nov 13 2015 SAPJVM8.SAR
Used “SID” ZPJ.
Hybrid Cloud: SAP and IBM Bluemix
15
In the ‘Software Package Browser’ screen I removed the first line under Media Location since it was duplicate.
Hybrid Cloud: SAP and IBM Bluemix
16
At this step (during the input parameter selection of the Java installation) I stopped, because I had to do the definitions described in the Java Installation Guide under:
Hybrid Cloud: SAP and IBM Bluemix
17
5.7 Preparing an External ABAP System as Source for User Data
I created the roles and user described there. Then the installation progressed with the following screen:
I do not include here the “Summary” screenshots. The installation started and ended successfully:
Hybrid Cloud: SAP and IBM Bluemix
18
Remark: When I tried to start NWA (NetWeaver Administrator) application (ihlscob6.boeblingen.de.ibm.com:50400/nwa), I got a
‘remote access’ error. The fix is described in SAP Note 1451753 - Filtering of administration requests for AS Java
Hybrid Cloud: SAP and IBM Bluemix
19
7.10 PI: Configuring the Process Integration System after the Installation
After you have completed the installation of SAP NetWeaver, you need to set up the basic configuration. You can use the Central
Technical Configuration (CTC) Wizard to automate the configuration tasks.
To configure the Process Integration (PI) system, I executed the “NetWeaver initial setup” CTC Wizard as described in SAP Note
1309239.
CTC Wizard: Select Functional Unit "SAP NetWeaver Process Integration (PI)"
I selected ‘Simple User Name and Password Policy’ for the users that were offered by the installation tool.
Hybrid Cloud: SAP and IBM Bluemix
24
Hit the following error:
Found SAP NOTE: 1305716 - PI CTC: Product version 'SAP NETWEAVER PI 7.x' not found.
It refers to SAP NOTE: 669669 - Update of SAP System Component Repository of SLD
Hybrid Cloud: SAP and IBM Bluemix
25
Downloaded 3 files:
Imported first cimsap, then crdelta11xxx, and finally crdelta12xxxx
Got error: “No RFC authorization for function module RFCPING” User PI_JCO_RFC needed also role
SAP_BC_JSF_COMMUNICATION, had only SAP_BC_JSF_COMMUNICATION_RO.
Got error: “Caller J2EE_GST_ZPJ not authorized, required permission missing” Added role SAP_J2EE_ADMIN with ‘SAP ALL’ rights
for user J2EE_GST_ZPJ.
CTC finished successfully:
Hybrid Cloud: SAP and IBM Bluemix
26
Ran Enterprise Services Repository CTC successfully:
Now the PI system is installed and configured. Next step is to setup the PI system to run the PI Demo scenarios.
Hybrid Cloud: SAP and IBM Bluemix
27
PI DEMO SETUP
SAP documentation used:
SAP NetWeaver 7.40:
SAP NetWeaver Process Integration - Demo Example Configuration
Document Version 1.0 – October 2013
Document link
All setup steps described in this document follow this documentation, and I will always highlight the chapter titles. From the
prerequisite list, I did only step 5 (SAP Note 517484).
Below find the problems and hurdles described that were encountered during this exercise.
In chapter 4.5.1: Creating Communication Parties for B2B Communication
Needed to create PIDIRUSER (copied from PICACHEUSER) with standard password as system user with roles described in:
https://scn.sap.com/thread/1282671
In chapter 4.5.2: Defining Communication Components
Following error showed up when trying to assign a Business System:
InternalEOAService BusinessSystemAccessor failed
First created or checked the following users. The CTC wizard had not created all users, or, to be more precise, had created some of
the users ending with the SID ZPJ, like PIDIRZPJ.
Service User Description Assigned Role
PILSADMIN User for the Change Management Server SAP_XI_CMS_SERV_USER
PIREPUSER User for the Enterprise Services Repository SAP_XI_IR_SERV_USER_MAIN
PIDIRUSER User for the Integration Directory SAP_XI_ID_SERV_USER_MAIN
PILDUSER User for the System Landscape Directory (SLD) SAP_BC_AI_LANDSCAPE_DB_RFC
PIAPPLUSER User for sender applications SAP_XI_APPL_SERV_USER
PIRWBUSER User for the Runtime Workbench SAP_XI_RWB_SERV_USER_MAIN
PIAFUSER User for the Advanced Adapter Engine SAP_XI_AF_SERV_USER_MAIN
PIISUSER User for the Integration Server SAP_XI_IS_SERV_USER_MAIN
PIPPUSER User for principal propagation SAP_XI_APPL_SERV_USER
Hybrid Cloud: SAP and IBM Bluemix
28
As next step, I checked the log of the Java application server. Started NetWeaver Administrator, then Troubleshooting Logs and
Traces Log Viewer: PIDIRUSER login to SLD fails.
Solution is described in an SAP customer record. It contains the following recommendation:
Please check all passwords in the NWA's Configuration ---> Infrastructure ---> Java System Properties ---> Services ---> XPI Service: AII
Config Service section.
Make sure all of these passwords are set correctly, especially com.sap.aii.directory.serviceuser.pwd.
After I modified all the passwords mentioned there and set them explicitly to the master PWD, the access to SLD worked.
Got another error: “Java exception when generating the Web Services Communication Channels”. Ignored this as I did not want to
implement the Web Services scenarios.
In chapter 5.1.2 Configuration in Integration Directory
Step 8. Choose Close.
“The system calls the model configurator. The process integration scenario CheckFlightSeatAvailability is displayed in a graphical
editor.”
Following warning popped up after hitting the ‘Close’ button:
Ignored this warning. Assumed that it may be caused by the failed generation (Java exception) of the WebServices communication
channels.
In the same chapter, another error message was shown when executing under header “Generating the Configuration Objects” the
step:
5. Choose Start:
The objects are generated. The generation log is called.
Hybrid Cloud: SAP and IBM Bluemix
29
Found following SCN forum entry: https://scn.sap.com/thread/3831882. It says that the solution is to correct the Software
Component Version (SCV) in the Integration Builder (BI)! In the listed (and other) objects the SCV was something like ID:
7e9a3ca….424100 (see below screen shot)! Changed this to “SAP BASIS 7.50” which is the expected SCV!
Attention: You need to remember some of the ‘settings’ as they were before the change, and add them after the change again.
I noted the settings via screenshots.
Hybrid Cloud: SAP and IBM Bluemix
31
In chapter 5.1.3 Executing and Testing
In client 105 ran tx SXIDEMO. It shows following error: “XI system error; No receiver could be determined”.
Solution was to refresh the XI cache with SAP transaction SXI_CACHE
I followed the instructions of the document: “How to Configure the ABAP Cache Refresh” Document link
Then it worked, see next screenshot:
Hybrid Cloud: SAP and IBM Bluemix
33
5.2 Booking a Single Flight (Proxy-to-Proxy Communication)
Also had wrong Software Component Version for objects in this scenario. Fix is as described above.
Hybrid Cloud: SAP and IBM Bluemix
35
After saving and activating the objects with correct SCV, still the scenario did not work.
Checked in client 001 with transaction (tx) sxmb_moni under ‘Monitor for processed XML messages’ listed errors. Found:
Caused by wrong Software Component Version in object. Did a refresh of the cache (tx sxi_cache) in client 001 (the Integr. Server).
Now neither scenario 1 nor scenario 2 (this one) worked.
Found the document “How to: SAP PI Cache Refresh” www.sapbasistuts.com/home/sap-pi/sap-pi-administration/sap-pi-cache-
refresh---how-to-document
Did all steps mentioned in that document, but the scenario 1 CheckFlightSeatAvalability was still NOT working.
Checked again all objects in Integration Builder (IB) for their Software Component Version. Receiver Agreement ZPI_105 | ZPI_107
SXIDEMO_AIRL_FLIGHT_CHECKAVAIL was still wrong!
After correction and tx SXI_CACHE refresh Scenario 1 worked again.
Scenario 2 BookSingleFlight still failed with:
Unable to find resource 0050568f-0aac-1ed4-a6e5-6926325e2eb3 in the following software component versions:
sap.com/xi/XI/Demo/Agencycom/sap/xi/tf/_BookingOrder_Agency2Airline_.class-1
So it seemed that there is still a wrong SCV. In the IB I changed:
1. All ‘MultipleFlightBookingCoordination’ Receiver Agreements to SAP BASIS 7.50. 2. Deleted in ZPI_106 | FlightBookingOrderConfirmation_Out the ‘local rule’.
Still got an error. Eventually the solution is described in SAP Note 1377033 - How to perform a Single Repository Object Cache
Refresh https://launchpad.support.sap.com/#/notes/0001377033:
Goto http://ihlscob6.boeblingen.de.ibm.com:50400/rep/support/admin/index.html and logon as user PISUPER.
Under Runtime select ‘Cache Overview’ and then fill out: Single ES Repository Object Cache Refresh fields for Object Type MAPPING
(interface mapping / object mapping) and XI_TRAFO (message mapping).
Attention: I used Mozilla Firefox to do the refresh.
Internet Explorer did not work for me and it took me quite some time to find this out.
Hybrid Cloud: SAP and IBM Bluemix
37
Get the “Operation Mapping” Object ID from Integration Builder:
SCV is what is listed in the error message: 0050568f0aac1ed4a6e56926325e2eb3
Get “Message Mapping” Object ID from Integration Builder:
Hybrid Cloud: SAP and IBM Bluemix
38
Checked the CPA Cache Properties (NWA -> Configuration -> Infrastructure -> Java System Properties):
Here, XIAFUser is defined, but it does NOT exist in the system, only PIAFUSER exists. Changed to PIAFUSER (custom calculated value).
Hybrid Cloud: SAP and IBM Bluemix
39
Need to do CPA cache refresh for (mapping refresh) for further objects:
Then run tx SXI_CACHE refresh.
Success, SingleFlightBooking worked:
Hybrid Cloud: SAP and IBM Bluemix
41
5.3 Booking Connecting Flights (Proxy-to-Proxy Communication)
Further wrong Software Component Version of IB objects and CPA cache updates needed:
Hybrid Cloud: SAP and IBM Bluemix
43
Further Operation and Message Mappings missing. Fix as described above (Single ES Repository Object Cache Refresh):
Hybrid Cloud: SAP and IBM Bluemix
47
After all of the above Operation and Message Mappings were refreshed in the ES Repository Object cache, another PI cache refresh was additionally needed.
Ran tx SXI_CACHE to refresh the cache. Now the 3rd Scenario worked:
Hybrid Cloud: SAP and IBM Bluemix
48
Going to implement scenario 1 with “Proxy-to-RFC RFC Communication”:
Hybrid Cloud: SAP and IBM Bluemix
49
6.1 Checking Flight Seat Availability (Proxy-to-RFC Communication)
Another wrong Software Component Version of IB objects:
Fixed wrong SCV as described above.
In step 6.1.2 Executing and Testing the scenario did not work. Got following error in transaction sxmb_moni:
<?xml version="1.0" encoding="UTF-8" standalone="true"?>
<!-- Call Adapter -->
<SAP:Error xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SAP="http://sap.com/xi/XI/Message/30"
SOAP:mustUnderstand="1"><SAP:Category>XIServer</SAP:Category><SAP:Code
area="INTERNAL">CLIENT_SEND_FAILED</SAP:Code><SAP:P1>404 </SAP:P1><SAP:P2>Not
found</SAP:P2><SAP:P3>(See attachment HTMLError for details)</SAP:P3><SAP:P4/><SAP:AdditionalText/><SAP:Stack>Error
while sending by HTTP (error code: 404 , error text: Not found) (See attachment HTMLError for details)
</SAP:Stack><SAP:Retry>A</SAP:Retry></SAP:Error>
Searched in Google for “http://sap.com/xi/XI/Message/30 client_send_failed 404” and found as first hit: http://scn.sap.com/thread/3475138, which says check RFC connection.
Changed in client 107 the XIDEMO_APPL user to a system user. It was defined as dialog user and was locked.
Hybrid Cloud: SAP and IBM Bluemix
50
Running the scenario still resulted in 404 error.
Set the trace level of the Integration Engine to 2 to get more information on the problem:
The higher trace level showed that the error was hit when reading SAP_XIAdapterFramework from SLD The call http://ihlscob6.boeblingen.de.ibm.com:50200/MessagingSystem/receive/AFW/XI was the one which returned http 404 !
Configured with the CTC Wizard the Advanced Adapter Engine. SAP Note 1314855 - Configuration Wizard: PI-AF initial setup
Hybrid Cloud: SAP and IBM Bluemix
51
The CTC Wizard ran into error: Cannot read Exchange Profile with user PIDIRUSER.
Hybrid Cloud: SAP and IBM Bluemix
53
Now: Accessing ihlscob6.boeblingen.de.ibm.com:50400/exchangeProfile with PIDIRUSER returned a different error: No RFC authorization for function module LCRDB_GET_PROFILE.
Added SAP_ALL profile to PIDIRUSER:
Hybrid Cloud: SAP and IBM Bluemix
55
Now it worked, access to Exchange Profile was possible and configuration of the Advanced Adapter Engine was successful.
The CTC Wizard ended successfully.
But I still got http error 404 when testing the scenario. I looked again at the url and especially the port. The used port 50200 is the port of the ABAP instance! My experience is that this must be the port of the now separate Java instance.
I ran http://ihlscob6.boeblingen.de.ibm.com:50400/MessagingSystem/receive/AFW/XI with PIISZPJ user (as in trace) and this url works:
Hybrid Cloud: SAP and IBM Bluemix
56
So the wrong port was used! Checked the SLD. The Java AS was not defined as Business System. Defined it, but still got wrong port in url.
Found SAP Note 1556705 “XI runtime: AFW URL with HTTP instead of HTTPS”. It says that the port is taken from an
Exchange Profile parameter. Therefore, I changed it.
Changed in Exchange Profile the port from 50200 to 50400:
Hybrid Cloud: SAP and IBM Bluemix
57
Attention: To activate such a change, the adapter entry in the ‘Adapter Engine Connection Data Cache’ must be deleted. You
get there by calling tx sxi_cache, press in the menu bar ‘Goto’ and select ‘Adapter Engine Cache’.
Now I got: Unable to check flight availability. Error Type: XI System error
The XML message trace showed that the wrong user was used, PIISZPJ instead of PIISUSER:
Hybrid Cloud: SAP and IBM Bluemix
58
Changed in Exchange Profile: com.sap.aii.integrationserver.serviceuser.name from PIISZPJ to PIISUSER.
Attention: Ignore the message that PISUPER has not the permission to do the change, it works!
Attention: To activate such a change in the PI cache, the Adapter entry in the ‘Adapter Engine Connection Cache’ must be deleted as
described earlier.
Now I got the error: XI System Error
Unable to find resource 0050568f-0aac-1ed4-a6e5-6926325e2eb3 in the following software component versions
http://sap.com/xi/XI/Demo/Agencycom/sap/xi/tf/_FSACheck_Agency2AirlineRFC_Resp_.c~-1
Caused by wrong Software Component Version in object Agency2AirlineRFC. Changed it in IB and activated the change. Refreshed the cache (tx sxi_cache) in client 001 (Integr. Server). Also needed to do a CPA cache refresh for that object:
Get object ID info in ESR for the object:
Hybrid Cloud: SAP and IBM Bluemix
59
Goto http://ihlscob6.boeblingen.de.ibm.com:50400/rep/support/admin/index.html and login with user PISUPER. Under Runtime select ‘Cache Overview’ and fill out: Single ES Repository Object Cache Refresh fields as already described above (use as SCV: 0050568f0aac1ed4a6e56926325e2eb3).
Hybrid Cloud: SAP and IBM Bluemix
61
Did full SXI_Cache refresh and CPA Cache refresh and the scenario worked:
Hybrid Cloud: SAP and IBM Bluemix
62
An additional update was needed for the ‘non existing flight’ test case:
Hybrid Cloud: SAP and IBM Bluemix
63
6.2 Booking a Single Flight (Proxy-to-IDoc Communication)
When activating the IB changes, I got again the error that several objects do not exist, because the SCV is wrong:
Hybrid Cloud: SAP and IBM Bluemix
65
Further Operation and Message Mapping missing. Fix as described above:
Hybrid Cloud: SAP and IBM Bluemix
66
Did a SXI_CACHE update. Next wrong SCV:
<SAP:Stack>Unable to find resource 0050568f-0aac-1ed4-a6e5-6926325e2eb3 in the following software component versions: http://sap.com/xi/XI/Demo/Agencycom/sap/xi/tf/_BookingOrder_Agency2AirlineIDoc_.c~-1 </SAP:Stack>
Also needed to do a CPA cache refresh for that object. Under Runtime select ‘Cache Overview’ and then fill out: Single ES Repository Object Cache Refresh fields… as already described above… (used as SCV: 0050568f0aac1ed4a6e56926325e2eb3).
Then the scenario worked:
Hybrid Cloud: SAP and IBM Bluemix
67
The IDoc display is under SAP Menu → Tools → ALE → ALE Administration Monitoring IDoc Display Display.
I stopped implementing further scenarios here as five are working now and deliver data which can be used for our Demo
App.
Hybrid Cloud: SAP and IBM Bluemix
68
ACTIVATE SAP NETWEAVER GATEWAY AND PUBLISH THE SERVICE FOR THE PI DEMO SERVICE
How to activate the SAP NW Gateway
Call tx spro --> Click on 'Display SAP Reference IMG' --> Open 'SAP NetWeaver' --> Open 'SAP Gateway' --> Open 'OData Channel' -->
Open 'Configuration' and click to activate the SAP NetWeaver Gateway:
Hybrid Cloud: SAP and IBM Bluemix
69
How to create and activate a service in the NetWeaver Gateway
Close 'Configuration' --> Open 'Administration' and click on 'Activate and Maintain Services':
Click on 'Add Service' button, search for *FLIGHT* and then ‘Select Backend Service "ZRMTSAMPLEFLIGHT_2". I used package $TMP
as I use this service locally.
Click on 'Continue/Enter':
When I tested the service via ‘Call Browser’ I got the http status code 403: forbidden! Needed to activate the service
rmtsampleflight_2 via tx sicf:
Hybrid Cloud: SAP and IBM Bluemix
71
Browser test resulted then in:
Click ‘Add System Alias’ to add ‘LOCAL’ to the service. Then in ‘SAP Gateway Client’ the test for GET method shows collections /
data:
Hybrid Cloud: SAP and IBM Bluemix
72
The fully qualified url like:
http://ihlscob6.boeblingen.de.ibm.com:50200/sap/opu/odata/IWBEP/RMTSAMPLEFLIGHT_2/FlightCollection/?sap-client=105
returned real data in Mozilla brower.
Hint: Troubleshooting an SAP Netweaver Gateway Service: https://blogs.sap.com/2013/08/09/frequent-problems-encountered-in-
netweaver-gateway-service-development/
Hybrid Cloud: SAP and IBM Bluemix
73
INSTALL A BLUEMIX SECURE GATEWAY UNDER UBUNTU FOR IBM Z SYSTEMS
Prerequisite is a Bluemix user account. Downloaded the native installer for Ubuntu for IBM z Systems via:
https://console.ng.bluemix.net/docs/services/SecureGateway/sg_025.html#sg_050
1. Copied ibm-securegateway-client-1.6.0+client_s390x.deb from Windows to lnxsabgw (used WIN SCP)
Check md5 sum:
vsch@lnxsabsg:~$ md5sum ibm-securegateway-client-1.6.0+client_s390x.deb
ea2133b7263d7b65ceef8dd4572abe98 ibm-securegateway-client-1.6.0+client_s390x.deb
ea2133b7263d7b65ceef8dd4572abe98 is OK...
2. Used bash shell to install the package with
vsch@lnxsabsg:~$ sudo dpkg -i ibm-securegateway-client-1.6.0+client_s390x.deb
Provided as input parameters for the following questions:
a) Supply ACL File, each gateway separated by spaces: /etc/ibm/zpiacl.txt
b) Would you like to use the client UI (Y/N): Y
vsch@lnxsabsg:~$
Created the ACL file zpiacl.txt in /etc/ibm with 644 permissions and with following content. This allows access to port 50200, where
the SAP InternetConnectionManager (ICMan) is listening for http requests:
vsch@lnxsabsg:/etc/ibm$ cat zpiacl.txt
acl allow ihlscob6.boeblingen.de.ibm.com:50200
Started the SG with /usr/bin/sudo /bin/systemctl start securegateway_client
Checked the running client with: cat /var/log/securegateway/client_console_2016_10_12.log
Attention, the log name changes over time as it contains a date.
Stopped the SG with /usr/bin/sudo /bin/systemctl stop securegateway_client
Changed the configuration file /etc/ibm/sgenvironment.conf. It was created empty! In order to find out the syntax of entries,
searched for the filename in Google, which resulted in:
https://developer.ibm.com/clouddataservices/access-an-on-premises-db2-data-server-from-the-bluemix-cloud/
The adapted contents for the connection did not work. Found in the script which starts the SG
/usr/local/bin/securegateway_clientd
the start command:
(cd /opt/ibm/securegateway/client; LANGUAGE=$LANGUAGE /usr/local/bin/node lib/secgwclient.js $SECGW_GATEWAYID
$SECGW_ARGS >> /var/log/securegateway/$LOG_FILE.log 2>&1)
Hybrid Cloud: SAP and IBM Bluemix
74
Set the parameter $SECGW_ARGS to the correct parameters in order to make the SG work. Finally, the SG started correctly with the
following entries in the /etc/ibm/sgenvironment.conf file. The GW ID and Security Token are taken from Bluemix:
vsch@lnxsabsg:~$ sudo cat /etc/ibm/sgenvironment.conf
#Restart Client
RESTART_CLIENT=Yes
# Configuration ID to connect
# If manually modifying the following, accepted values are:
GATEWAY_ID=pw2us1NwRgG_prod_eu-gb
export SECGW_GATEWAYID=$GATEWAY_ID
# Security Token for this Configuration ID (if any)
SECTOKEN=**************************************************************************************************
**************************************************************************************
Note: Please add here the real security token from the Bluemix GW service.
# Access Control List File
# If manually modifying the following, accepted values are the absolute path to your ACL file
ACL_FILE=/etc/ibm/zpiacl.acl
Args=" --F "$ACL_FILE" --t "$SECTOKEN
export SECGW_ARGS="$Args"
Ran in browser the icman ping to see if the correct response is shown:
http://caplonsgprd-3.integration.ibmcloud.com:15363/sap/public/icman/ping
Result: server on host ihlscob6 system ihlscob6_ZPI_02 (000) successfully reached
Hybrid Cloud: SAP and IBM Bluemix
75
The following figure shows how to find the host and port used by the SG service under Bluemix:
Then did a cat of the log /var/log/securegateway/client_console_2016_10_12.log:
[2016-10-12 19:08:28.495] [INFO] (Client ID 57477) No password provided. The UI will not require a password for access
[2016-10-12 19:08:28.508] [WARN] (Client ID 57477) UI Server started. The UI is not currently password protected
[2016-10-12 19:08:28.508] [INFO] (Client ID 57477) Visit localhost:9003/dashboard to view the UI.
[2016-10-12 19:08:28.756] [INFO] (Client ID 57483) Setting log level to INFO
[2016-10-12 19:08:28.767] [WARN] (Client ID 57483) The ACL file provided during startup will not be imported until a connection has
been established to your gateway.
[2016-10-12 19:08:29.049] [INFO] (Client ID 57483) The Secure Gateway tunnel is connected
[2016-10-12 19:08:29.156] [INFO] (Client ID pw2us1NwRgG_vcU) Your Client ID is pw2us1NwRgG_vcU
[2016-10-12 19:08:29.158] [INFO] (Client ID pw2us1NwRgG_vcU) Synchronizing ACL rules
Hybrid Cloud: SAP and IBM Bluemix
76
[2016-10-12 19:08:29.159] [INFO] (Client ID pw2us1NwRgG_vcU) The current access control list is being reset and replaced by the
user provided batch file: /etc/ibm/zpiacl.acl
[2016-10-12 19:08:29.160] [INFO] (Client ID pw2us1NwRgG_vcU) The ACL batch file process accepts acl allow
ihlscob6.boeblingen.de.ibm.com:50200
[2016-10-12 19:12:20.157] [INFO] (Client ID pw2us1NwRgG_vcU) Connection #1 is being established to
ihlscob6.boeblingen.de.ibm.com:50200
[2016-10-12 19:14:27.477] [ERROR] (Client ID pw2us1NwRgG_vcU) Connection #1 to destination
ihlscob6.boeblingen.de.ibm.com:50200 had error: ETIMEDOUT
pw2us1NwRgG_vcU> vsch@lnxsabsg:/etc/ibm$
Got EtimedOut error when trying to establish a connection to the zSAP backend.
Searched again in Google and found:
Are you hitting the ETIMEDOUT while the Secure Gateway Client is attempting to connect to your gateway? If that's the case, make
sure that outbound traffic is allowed on ports 443 and 9000.
Needed to setup two new firewall rules here:
I. Allow the lnxsabsg machine to use port 443 (https) outbound
II. Allow the lnxsabsg machine to use port 50200 (SAP icman of ZPI system) outbound
Now the SG was ready to be used and worked as expected.
Calling the PI Backend via the Bluemix Secure GW and NetWeaver GW thru Odata service via a browser shows for example following
xml formatted SAP flight data:
Hybrid Cloud: SAP and IBM Bluemix
78
SUMMARY
Installation of the PI 7.50 system was basically a standard installation effort.
It was quite an experience and challenge to set up the PI Demo scenarios in an SAP PI 7.50 System, which is no longer based on SAP’s
dual stack architecture, but instead on two separate SAP SIDs, one for PI’s ABAP stack and another on for PI’s Java stack. Given the
many hurdles, I hope that SAP will release some time in the future a new version of the PI Demo setup documentation. In the
meanwhile above technical information may help.
Activating the SAP NetWeaver Gateway and the OData service was straight forward. The same hold true for setting up the Bluemix
Secure Gateway under Ubuntu for IBM z Systems.
So in general opening up an on-premise SAP system for secure access from IBM Bluemix cloud was a relatively easy task, once you
understand all the parts playing a role in this infrastructure game.
Building a mobile Application on top of that running in IBM Bluemix which reads, inserts, updates and deletes data of the on-premise
SAP system is a different story.
Share this document with other users and experts. The document is available in the SAP on IBM z Systems Community at IBM
developerWorks. You are welcome to comment or ask questions there as well.
Hybrid Cloud: SAP and IBM Bluemix
79
© Copyright IBM Corporation 2017
IBM Corporation Systems Group
Route 100 Somers, NY 10589
April 2017
IBM, the IBM logo, ibm.com, Bluemix, DB2, developerWorks, MobileFirst, z/OS, and z Systems are trademarks or registered
trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM
trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols
indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may
also be registered or common law trademarks in other countries.
A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at:
ibm.com/legal/copytrade.shtml
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
LinkedIn, the LinkedIn logo, the IN logo and InMail are registered trademarks or trademarks of LinkedIn Corporation and its affiliates
in the United States and/or other countries.
Other product, company or service names may be trademarks or service marks of others.
This document is current as of the initial date of publication and may be changed by IBM at any time.
References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in
which IBM operates.