Skip to Content

Sometimes things in your Alloy landscape just don’t want to behave like they should. One good start to find out what’s going on in your Alloy landscape is by checking the connections between AS Java and AS ABAP, as well as between AS Java and Lotus Domino Server.

Check connection from AS Java to AS ABAP

Alloy requires a trusted relation between AS Java and AS ABAP. Therefore both systems must exchange certificates during setup. We can use SAP NetWeaver Administrator to check whether the required trusted connection is working properly: Open SAP NetWeaver Administrator on your AS Java by entering:

http[s]://<hostname>:<port>/nwa

in your Web browser.

SAP NetWeaver Administrator

SAP NetWeaver Administrator will show up. Click on Configuration and then on Trusted Systems to see all the systems your AS Java trusts.

Trusted systems

In the given screenshot system E05 is our AS ABAP and we want to check whether we are still able to reach it. Click on Check Against Issuing System and select By Querying Issuing System.

Check Against Issuing System

Fill out the connection details on the pop up that will appear.

!https://weblogs.sdn.sap.com/weblogs/images/972/J2EE_TS_Check_Values.jpg|height=1|alt=System details|width=1|src=https://weblogs.sdn.sap.com/weblogs/images/972/J2EE_TS_Check_Values.jpg|border=0!System details

Afterwards press Next.

The AS Java will now try to connect to the AS ABAP and if this succeeds, it will verify the certificate.

Check OK

This is what it looks like, if the trust is established correct and the communication

between AS Java and AS ABAP works fine.

<u>Check connection from AS ABAP to AS Java</u>

So knowing that the AS Java is able to call the AS ABAP is a good start. But is the ABAP also configured right that the Alloy components on the AS ABAP are also able to connect to the AS Java?

There’s a very simple way to find this out. Log on to your AS ABAP system and call transaction se37: The Function Builder.

Function Builder

Enter the Function Module: */OSP/GET_RM_INFO *

What this function module basically does is, connect to the AS Java and get all configured Alloy users and roles. So if that function module is working fine, all other Alloy parts on the AS ABAP are also doing fine in regards to the AS Java connection.

Press F8 twice and you should see a result like this:

se37 Parameters

6 Alloy roles and 171 Alloy users were successfully retrieved from the AS Java.

With that we can be pretty sure that the communication between AS Java and AS ABAP is doing fine. But what about the connection from AS Java to Lotus Domino where the Alloy Web Service is running?

<u>Check connection from AS Java to Lotus Domino</u>

Let’s see if the AS Java is able to call the Lotus Domino Server (_better:_ the Alloy Web Service Application via the HTTP Service running on the Lotus Domino).

Open the Visual Administrator of your AS Java.

Navigate down the tree: Server -> Services -> Destinations

Visual Admin: HTTP Destination

Expand HTTP Destinations on the right side and select Domino.

This is the connection the AS Java uses for SAML authentication with the Lotus Domino Server. Click on Save and Test in order to perform a connection test.

The result should look like this

!https://weblogs.sdn.sap.com/weblogs/images/972/J2EE_SAML_OK.jpg|height=117|alt=SAML OK|width=268|src=https://weblogs.sdn.sap.com/weblogs/images/972/J2EE_SAML_OK.jpg|border=0

Even though the Content type null might scare you, it’s correct. If your response contains Content type text/html;charset=UTF=8 instead of *Content type null *

!https://weblogs.sdn.sap.com/weblogs/images/972/J2EE_SAML_ConnectionOK.jpg|height=118|alt=SAML User authentication failed|width=284|src=https://weblogs.sdn.sap.com/weblogs/images/972/J2EE_SAML_ConnectionOK.jpg|border=0

AS Java was able to reach the Lotus Domino Server, but the SAML authentication failed. Make sure the username and password which are defined for this HTTP Domino connection are set correctly. The required user name here is the full qualified Alloy Domino User name as given during Alloy landscape setup.

In case the AS Java couldn’t get a connection to the Lotus Domino server at all, you’ll get an error message popup with some more details on what exactly went wrong.

In this case make sure the given URL is correct in the HTTP Domino destination. You could also try to ping the Lotus Domino host from the AS Java host to check the basic network connection.

Also try to call the Lotus Domino HTTP Service from the AS Java host via your Web browser. This should result in some Lotus Domino (or Lotus Sametime if installed) log in page.

Lotus Login

Lotus Login

<u>Check connection from Lotus Domino to AS Java</u></p><p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”> </p><p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”>The same connection test we just did from AS Java to the Lotus Domino could also be done from the Lotus Domino Server to AS Java. Like in the test before, we’ll also verify whether the SAML authentication from the Lotus Domino to the AS Java is setup correct.</p>Open a Web browser and enter the following URL:<br />http[s]://<DominoHost>:<DominoHTTPPort>//NDERPWs.nsf/TestSAMLService?openAgent&username=<Alloy SAP User>  <p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”> </p><p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”>!https://weblogs.sdn.sap.com/weblogs/images/972/DOMINO_SAML_Check.jpg|height=1|alt=SAML Check|width=1|src=https://weblogs.sdn.sap.com/weblogs/images/972/DOMINO_SAML_Check.jpg|border=0!!https://weblogs.sdn.sap.com/weblogs/images/972/DOMINO_SAML_Check.jpg|height=400|alt=SAML Check|width=623|src=https://weblogs.sdn.sap.com/weblogs/images/972/DOMINO_SAML_Check.jpg|border=0! </p><p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”> </p><p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”><u>Heads up on this:</u> The username that is required in the URL parameter is the Alloy SAP User name created during Alloy setup on the AS ABAP. </p><p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”>The user that is required for the Lotus Domino login, is the full qualified Alloy Domino user. Something like this</p><p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”> </p><p style=”margin: 0cm 0cm 0pt” class=”MsoNormal”>!https://weblogs.sdn.sap.com/weblogs/images/972/DOMINO_SAML_OK.jpg|height=1|alt=SAML OK|width=1|src=https://weblogs.sdn.sap.com/weblogs/images/972/DOMINO_SAML_OK.jpg|border=0!!https://weblogs.sdn.sap.com/weblogs/images/972/DOMINO_SAML_OK.jpg|height=260|alt=SAML OK|width=700|src=https://weblogs.sdn.sap.com/weblogs/images/972/DOMINO_SAML_OK.jpg|border=0!</body>

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Cristiana d'Agosto
    Hi Dirk,
    great blog.
    When I used the FM /OSP/GET_RM_INFO, all 3 Export Parameters, i.e.ET_MENDOCINO_ROLES, ET_MENDOCINO_USERS and ET_MESSAGE_STORE   returned nothing, empty tables?

    Any suggestion as to what we might be missing?

    Thanks, Cristiana

    (0) 
      1. Cristiana d'Agosto
        Thanks for the quick reply. I sent you answer to the J2EE consultant. He said that maybe it is j2ee deployment.. but the deployment gave no errors – is there any way to be 100% sure if the J2EE deployment was 100% successful? Perhaps we should redeploy it and see what happens?
        Thanks and regards,
        Cristiana
        (0) 
        1. Dirk Lehmann Post author

          If the deployment is successful, you’ll be able to see the deployed Alloy applications in the Alloy admin ui (http[s]://Dirk

          (0) 
            1. Cristiana d'Agosto
              And that’s a piece of the error log:

              DEMO_USER3#bdebb6607d0a11deba94005056000000#SAPEngine_Application_Thread[impl:3]_39##0#0#Info#1#com.sap.security.core.server.ws.service.handler.AuthorizationHandler#Plain#Permission denied for access to createClientApplication###
              #1.5 #00505600000000620000004E00000FDC00046FEC110B7C58#1248959595765#/System/Security/WS/SecurityProtocol#sap.com/xapps~osp~services~enterpriseapp#com.sap.security.core.server.ws.service.ServerSecurityProtocol.handleRequest#DEMO_USER3#643##w200345sap2.au.ibm_PTL_4346150#DEMO_USER3#bdebb6607d0a11deba94005056000000#SAPEngine_Application_Thread[impl:3]_39##0#0#Error#1#com.sap.security.core.server.ws.service.ServerSecurityProtocol#Java###An error occurred while processing the transport security. Reason: {0} {1}. See trace entry {2}.#3#java.lang.SecurityException#Authorization failed for the specified security roles. For details see log entry 00505600000000620000004B00000FDC00046FEC110B7AC4.#[no trace for com.sap.security.core.server.ws.service.ServerSecurityProtocol (severity above PATH)]#
              11:22:41 PM

              Permission denied for access to createClientApplication

              Any ideas? (sorry for so many questions and doubts!)

              (0) 
              1. Cristiana d'Agosto
                Ok – we have given our user demo_user3 admin rights in J2EE and it seems to do the trick!
                We have now successfully registered Leave, Travel and Report! Thanks for your help!
                (0) 
            2. Dirk Lehmann Post author
              No worries…but we might shift this dicussion in the Alloy forum, so that more people could benefit from it.

              Have you checked the ABAP<->J2EE Connection as explained in this blog?
              (Call SAML on Domino: http://Name>/NDERPWs.nsf/TestSAMLService?openAgent&username=)

              Most probably the user with which you create the Alloy applications in Domino isn’t mapped to some SAP user. So can you check whether your Domino user (which you use to login to Domino Admin and try to create the Alloy apps) has also a SAPID mapped in his/her people document in names.nsf. (so like all the other Alloy users).
              If so, the given SAPID here, must have Administrator rights on the SAP J2EE. So the SAPID used for mapping here should be in the J2EE group “Administrators”.

              Hth

              Dirk

              (0) 

Leave a Reply