Configuration and setup HANA XS Apps with HANA DB SSO (BASIS Activities)

Below are some of the steps that I used to configure the SAP HANA XS apps (HANA live apps) such as KPI modeler, Analytics foundation apps and so on for which the content is in the HANA DB (In the form of the HANA delivery units we apply for those apps) but the apps are viewed in the FIORI URL. So to make this perfectly work we have below steps such as applying the delivery unit for the app, Web Dispatcher routing configuration, SSO between ECC ABAP and HANA DB and finally replication of ABAP users in HANA DB. Though these configurations are used less now a day, due to the introduction of S4 and its own FIORI apps but the different steps and configuration explained here can be used in different use cases.

Our Environment:

ECC EHP 8 with HANA DB.

Importing delivery units:
Make sure to check the FIORI apps library for the frontend and backend requirement (HANA DB in this case) for you app.

There are several ways to deploy delivery units. Below are the popular methods,

1. Through the HANA studio. (which is shown)
2. Through command line in OS level.
3. Through HANA cockpit. (best way to do)

Take a Backup before start of this activity and try it in DEV or testing environment first.

Below procedures show how we can import delivery unit through HANA Studio.

Step 1: Click File – Import.

SAP HANA, SAP HANA XS, SAP HANA DB

Step 2: Select the Delivery unit option from the SAP HANA Content drop down.

SAP HANA, SAP HANA XS, SAP HANA DB

Step 3: Select the System (HANA SID) into which you want to import.

SAP HANA, SAP HANA XS, SAP HANA DB

Step 4: Select the Appropriate TGZ file downloaded and extracted from SAP Market place

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Click Finish.

Similarly import all the delivery units required.

Web Dispatcher Configuration:

Please add the following Web dispatcher entry as below,

wdisp/system_(no.) = SID=EXT, EXTSRV=http://<hana host name>:80(nr), SRCURL=/sap/hba;/sap/hana/

hana host name= Host name or IP of server when HANA DB was installed.

Nr= Instance no of the HANA DB.

According to above,

When /BOE service is called it goes to wdisp/system_0

When /sap is called it goes to either wdisp/system_1 or wdisp/system_2

In case of /sap it can redirect to either system 1 or system 2, so the web dispatcher checks the next service to /sap called- if /sap/hana or /sap/hba is called it goes to system 1 if other service is called (i.e) /sap/<any service other that hana or hba>/ it goes to system 2.

For the above condition to work – below parameter is maintained,

Next: let us proceed configuration for SSO between FIORI Front end and HANA DB.

It has three steps.

Step 1: Exporting ECC front end system (FIORI ABAP System) certificate:

T-Code STRUSTSSO2

SAP HANA, SAP HANA XS, SAP HANA DB

Click Export Own Certificate of FIORI Front end:

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Import that file in HANA DB:

To do that,

Launch HANA Cockpit: Right click – Configuration and monitoring – Open SAP HANA cockpit.

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Open the App — Certificate store:

SAP HANA, SAP HANA XS, SAP HANA DB

Click import.

SAP HANA, SAP HANA XS, SAP HANA DB

Now Select the certificate which you have exported from FIORI Front end System.

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Then Open the App — Configure Certificate collections App:

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Now Create Certificate Collection by clicking the + button:

SAP HANA, SAP HANA XS, SAP HANA DB

Give it a name.

Click Edit and edit that certificate collection:

Edit the purpose

SAP HANA, SAP HANA XS, SAP HANA DB

Save it.

SAP HANA, SAP HANA XS, SAP HANA DB

Then add the certificate which you previously imported by add certificate Button:

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Step 2: My login ticket issuing URL for this SSO is my Fiori URL (which the end user is going to use): In my case the Web dispatcher URL through which FIORI is accessed.

SAP HANA, SAP HANA XS, SAP HANA DB

Then Connect HANA DB in HANA Studio:

SAP HANA, SAP HANA XS, SAP HANA DB

Open Administration by double clicking the HANA DB SID in studio.

In the Configuration tab, expand the section xsengine.ini–>authentication. (add if the authentication option is missing)

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Set (or add) the parameter: logonticket_redirect_url.

SAP HANA, SAP HANA XS, SAP HANA DB

Enter the URL that points to the system and service issuing SAP logon tickets, for example:

https://<web dispatcher hostname>:<portnumber>/<path/to/logon_ticket/service>

Type the parameter in key and

Paste the URL copied in notepad in the value box,

Step 3: XS Engine Run-time configuration.

Maintain the run-time configuration for the application that you want to use SAP logon tickets for user authentication. In this case the HANA live apps and the configuration has to be maintained for those contents.

You can use the Web-based SAP HANA XS Administration Tool to complete this step. The tool is available on the SAP HANA XS Web server at the following URL:

http://<HANADB Host>:80<SAPHANAinstance>/sap/hana/xs/admin/

Choose XS Artifact Administration.

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Steps:

◈ Locate the root package of the application whose run-time configuration you want to modify. In this case the HANA live apps and the configuration has to be maintained for those contents.

Use the Packages list in the Application Objects plane.

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

◈ In the Security & Authentication tab, enable support for SAP Logon/Assertion Ticket.

SAP HANA, SAP HANA XS, SAP HANA DB

Do the same for all Application root package.

◈ Save the changes you have made.

* Synchronizing ECC users and DB users: (To create users in Db directly from ABAP system):

First Connect to DB in T-Code DBCO:

SAP HANA, SAP HANA XS, SAP HANA DB

Add a new entry:

SAP HANA, SAP HANA XS, SAP HANA DB

Fill the details and connect to Db with Sufficient privilege (SCHEMA user is preferred):

SAP HANA, SAP HANA XS, SAP HANA DB

Then we have to maintain entry in table.

Entry to be maintained:

DBCO Connection name and Client from which you need to create DB user.

So Go to SM30 to maintain the table USR_DBMS_SYSTEM

SAP HANA, SAP HANA XS, SAP HANA DB

New entry

SAP HANA, SAP HANA XS, SAP HANA DB

Maintain the entry

SAP HANA, SAP HANA XS, SAP HANA DB

DBCO connection and source client for DB user creation.

Save it.

Kindly verify the same using SE11

SAP HANA, SAP HANA XS, SAP HANA DB

Then try to execute the program RSUSR_DBMS_USERS in SE38

SAP HANA, SAP HANA XS, SAP HANA DB

It should execute without any error in the admin client (source client for DB user creation):

SAP HANA, SAP HANA XS, SAP HANA DB

For other clients or if the above activity is not done it will display error as below;

SAP HANA, SAP HANA XS, SAP HANA DB

To verify the above configuration is done correct- now go to SU01, enter a ABAP user id,

SAP HANA, SAP HANA XS, SAP HANA DB

Click EDIT.

Now a new tab DBMS will appear in the user edit menu,

SAP HANA, SAP HANA XS, SAP HANA DB

From where you can create a DB user for the ABAP user you have edited and also administer them (like granting roles).

Eg: Refer below screenshot,

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

SAP HANA, SAP HANA XS, SAP HANA DB

Now hand it over to FIORI consultants to activate the HANA DB dependent apps.

If the web dispatcher routing is missing, we will get the below error – cannot load tile. Because the Tile is unable to access the content in HANA DB due to the missing route

SAP HANA, SAP HANA XS, SAP HANA DB

If the Web dispatcher configuration is done correctly and SSO configuration is not done – it will ask for DB level credentials.

The same will happen if the user is not created in DB level or sufficient role is missing.

SAP HANA, SAP HANA XS, SAP HANA DB

All configuration (web dispatcher and SSO configuration is done), it will show the KPI apps after FIORI login.

SAP HANA, SAP HANA XS, SAP HANA DB

The above procedures for HANA live apps in ECC product but my guess is it is not required for S4 HANA product. Though this configuration is old, there are different configuration setup such as web dispatcher configuration, SSO and replicating users in ABAP to HANA DB which can be used in different cases.

Leave a Reply

Your email address will not be published. Required fields are marked *