Skip to Content

Installing Duet Enterprise: The SAP side — A Video Guide

Duet Enterprise is now General Available (GA) and can be downloaded from the Service Marketplace.

[DVD: ( -> Installations and Upgrades -> A – Z Index -> D -> DUET ENTERPRISE -> DUET ENTERPRISE 1.0 -> Installation;

Latest Service Pack SP02: ( -> A – Z Index -> D -> DUET ENTERPRISE -> DUET ENTERPRISE 1.0 -> Comprised Software Component Versions -> SAP IW FND 100 & SAP IW CNT 100 & SAP IW TNG 100 , …].

For more detailed information on Duet Enterprise register to attend the Duet Enterprise Virtual Launch Summit ( on Feb 1, 2011. Some of the feedback that we got during Ramp-up was in regards to the Installation of Duet Enterprise. Although not really complicated there are some steps that are pretty mundane and chances of making simple errors were pretty high. 

Taking this feedback we developed an Installation Wizard which is now available with Duet Enterprise 1.0 SP02. 

In this blog I want to outline how this Wizard works and also show how easy it now is to get a Proof-of-concept up and running within less than one hour. For now I will only focus on the SAP side of the installation (which is covered in the 20 minutes video below). My assumption in this blog is that the Microsoft side of the installation is done by a SharePoint administrator sitting in a different building and will be covered in the next blog.

So let’s get started: As you probably know the SAP side of Duet Enterprise landscape is running on a NetWeaver 7.02 SP05+ ABAP stack (the so called Service Consumption Layer, SCL). Since this is more or less a basic NetWeaver installation, I do not want to go into details (the standard documentation on ( -> SAP NetWeaver 7.0 should help). 

Once the NetWeaver system is installed there are some prerequisites steps that cannot be performed by the Installation Wizard. So at first we will check these things:

** Setting profile parameters for SSL

** Required software components (NetWeaver 7.02 SP05+, WEBCUIF 7000, IW_FND 1.0 SP02, IW_CNT 1.0 SP02, *IW_TNG 1.0 SP02*) and security libs (SAP SecuLib)0.1. Roles and Users (if we want to fully configure some scenarios)

{code:html}Checking Prerequisities after NetWeaver 7.02 SP05+ installation{code}

(Click on the Image to start the Video)

After that make sure to also check composite Note 1539888 ( which contains the latest updates to the Wizard. It is highly recommend to implement all the notes that are mentioned there so that the Wizard works (e.g. a correction to the logical ports creation is already available (Note 1542366 ( or required customizing might not be transported to your client and has to be either copied from client 000 or imported via BC sets available from Notes)

In addition to this “SAP-only” prerequisites information there is also some Microsoft related information that has to be available throughout the wizard. The following table lists this content. All of which should be available in a standard SharePoint installation and is not related to any Duet Enterprise specific installation / configuration – so it can be handed over to the SAP admin right after SharePoint is installed.

| | *Field*| | *Example*| HTTPS URL to the SharePoint Server |  | | SSL certificate of the SharePoint server | | contosoUpdatedModelsDuetSSLCert.cer| STS certificate of the SharePoint server | | contosoUpdatedModelsDuetSTSCert.cer| BDC Files | | |  |  | | AD DS Server name | contosoDC  | | Port number of AD DS | 389 | | AD DS account and password | ContosoADUser | | Attribute in AD DS where SAP user name is maintained | This name is an attribute in AD DS. For example, sAMAccountName. | | User Base Domain Name | CN=Users,DC=dev24,DC=dev,DC=contoso,DC=com |    The information regarding the connection to the Active Directory Domain Service (AD DS) is only required if usernames on SharePoint are different from the ones on the SAP side. If they are the same, the connection to the AD DS is not required. In my case I have the luxury of working as an Administrator with SAP_ALL permissions on the NetWeaver system. If that is not possible in your case, you can use the Authorization template /IWTNG/LCMWIZARD  which holds all of the required permissions to run the Wizard. Of course – since the Wizard does also do some configuration on backend systems – you will also have to have some permissions there. These permissions are mentioned in the deployment guide ( ( -> Duet -> Duet Enterprise 1.0 -> Duet Enterprise SAP Deployment Guide). 

Start the Wizard:  You can start the Wizard via transaction /IWTNG/LCM. If you get an error message like this:


then the required customizing entries from tables – /IWTNG/LCMCONFIG, /IWTNG/LCMSTCONF and  /IWTNG/LCMSTEPS were not transported from client 000 to the productive client you are currently working on. You can either manually copy them from client 000 or you can take the BC set that is attached to Note 1544169 ( Just download the BC set and upload it via transaction SCPR20 (menu BC Setup -> Upload)


(you might have to user the package name /IWTNG/LCMTOOL when importing the BC set light outlined in the Note) In the dialog select the BC set file attached to the Note and activate the BC set …


and make sure that you select “Expert Mode” in Select Activation Mode.


Now the required customizing tables will be populated and the Wizard will show the first start screen: 


In the first overview screen you can choose what the wizard should do. On a Sandbox system you probably want to run everything. Even on a productive landscape it can make sense to run the wizard, but you might – for example – want to skip the creation of the Self Signed SSL certificate or some other steps. So what does each step mean: h3. Basic 0.1. Basic Configuration In this step the very basic configuration steps are performed. You have to remember that the assumption for the Wizard is that you just installed NetWeaver and prepared some of the steps. Not one service or RFC is created yet. So in this step required RFC destinations are created, bgRFC configurations are performed, services via SICF are released, idempotent services are defined, one service user is created and also a Self Signed SSL certificate is created. As with all the steps there is a documentation link next to each. If this information is not good enough, then take a look at the related chapter in the deployment guide. (in one of my next blogs I will also explain in detail what exactly the wizard does in every time — right now it is just about running it :))


0.1. Security Configuration Duet Enterprise uses SAML to authenticate users from the SharePoint server in the NetWeaver system. In order to do that SAML has to be configured on the NetWeaver system and a trust has to be established to the SharePoint server which is used as a Security Token Service (STS). After that the Web Service end-points – that are used by SharePoint to retrieve data from the NetWeaver system – are released. Finally a connection to the Active Directory Domain Service (AD DS) is created which is used in the next step to perform usermapping that is required by SAML. This connection is used if your usernames in the AD DS and the usernames in the SAP system are different. In this case you can perform a mapping of these two usernames if the SAP username is also maintained in the AD DS. If the usernames are the same, you can deselect this step and use the BAdI attached to Note 1542681 ( to perform the required mapping.

| image

| | image

The attribute in which the SAP usernames is stored can be configured in the next screen. Again, if you deselected the AD DS configuration in the step before (because you have similar usernames in AD DS and SAP), then also skip this step. You can then later on populate the User Mapping table manually by following the steps in Note 1542681 ( and running this BAdI from SIMGH -> Service Consumption Layer Administration -> Consumer Settings -> Map SAP User Names to Consumer)


0.1. Connect to SAP System(s) X In this step the connection to the SAP Backend system is established. Not only are required RFC destinations created, but also a trust is established. For HTTP based communication (PSE) certificates are exchanged, for RFC communication the NetWeaver system is configured as a trusted system in the backend. The “X” in this screen means how many system you want to connect. If you have only one, then choose 1 :), if you have more, then just change the number and you will be prompted for each backend system. {code:html}Workflow{code} First select the RFC destination that was either created manually or automatically in the step “Connect to SAP System(s) X” by the Wizard. Then you can use the two “Create Logical Port” buttons to semi-automatically create the required logical ports in the backend system. This is an OK-code driven approach, where you just have to confirm several steps before pasting the needed URL in the relevant fields. All that is left is to save and activate the logical ports (take a look at the video, it all makes sense then :)) Once that is done you can activate the BC set for Workflow


0.1. {code:html}Reporting{code} Similar like with Workflow the reporting configuration has a semi-automated logical port configuration in the backend system and also a link to activate the BC set for Reporting


0.1. {code:html}Starter Services{code}

This is a little different, because Starter Services does not use “old” logical ports in the backend system. Instead in a first step (provider) web services have to be activated on the backend system. This is explained in detail in Note 1480794 ( When activating these services you create a profile that must be exported and imported in this step of the wizard. Then we need the so called “External Application key” from the backend system and a service userthat will be used during design-time to retrieve the WSIL information from the provider system. Depending on your backend system there is a possibility that the automatic creation of service activation will note work for all services (you can check this via SOAMANAGER -> Service Administration -> SOA Configuration Request Queue Management. If you see any entries for /IWCNT/CODELIST_SERVICE_GROUP in the queue, check {code:html}Note 1500721 – Matching Interface for QueryCodeList Service{code}. After that you can “Start request queue processing” again and it should work 🙂  Finally, after the system connection is established the BC set for Starter Services can be activated. |

image | | image

Exchange Data to SharePoint Now the SAP side of the configuration is almost done. In a final step the so called BDC Models have to be exported and handed-over to the SharePoint admin. Once the admin is done with the SharePoint side of the configuration the SAP admin can finalize the configuration on the SAP side.  0.1. Create Model files for SharePoint In a first step the Models which are shipped with SP02 can be uploaded to the NetWeaver system and the URL to SharePoint can be specified. These models are not stored on the DVD anymore, but are available on the SharePoint server under C:Program FilesDuet Enterprise1.0SAP Service Models and they have to be handed over from the SharePoint admin to the SAP admin. Do not use the files that are on the DVD — these are for SP01 and not compatible with SP02.


0.1. Data to be handed over to SharePoint Administrator … and now we are at a point where we can hand over the required data to the SharePoint administrator. With this information the SharePoint administrator is able to begin with the SharePoint side of the Duet Enterprise specific configuration.


Once the SharePoint Admin is done with the configuration, additional data can be handed over to the SAP Admin:  | | *Field* | | *Example* | URL to OBAFileReciever for reporting | [ OBAFileReceiver.asmx?wsdl | https://contoso:443/sites/DuetEnterprise/_vti_bin/OBAFileReceiver.asmx?wsdl] | | URL to OBAWorkflowService for Workflow | [ OBAWorkflowService.asmx?wsdl | https://contoso:443/sites/DuetEnterprise/Tasks/_vti_bin/OBAWorkflowService.asmx?wsdl] |  | | *Account name* | | *Description* | Report publisher account | ContosoReportingUser | | SAP workflows service account | ContosoWorkflowUser |  0.1. SharePoint related Configuration With this information the configuration for Workflow and Reporting can be finalized.


Having outlined the steps above, lets take a look how the configuration really works. I try to explain most of the steps in the following 20 minutes. The following  slide outlines the landscape overview. In my example I have one SharePoint 2010 server, one Active Directory Domain Server which would have all the usernames available, one NetWeaver 7.02 / Service Consumption Layer and two backend systems (one for Reporting & Workflow, one for Start Services). Although in my case the usernames in AD DS and SAP are the same, I am using the AD DS synchronization. This is mainly to show how it is done. Usually I would have skipped the steps (as outlined above) and used the BAdI instead. 


With that, let’s take a look…

{code:html}Duet Enterprise 1.0 SP02 Setup Wizard{code}

(Click on the image to start the Video) After completing the steps in the wizard, you should already see data in SharePoint for the ready to use capabilities “Start Services” and “Reporting”. There are still some specific steps required to get everything working so I would like to highlight some of the points (I will skip Workflow, because it requires some additional customizing in the backend system). *Starter Services* In order to use the “Edit Customer” functionality in Start Services, you must first run the “Refresh Code List Cache”. For this go to SIMGH -> Service Consumption Layer Services Administration (don’t overlook the Services)


Choose “Refresh Code List Cache”


Enter the Consumer ID “SHAREPOINT_INT” and the required Language, e.g. EN and click on Execute. image 


Depending on your NetWeaver configuration you might have to deactive “old” Business Object groups that might be active by default. Fort Starter Service and Workflow that should not be a problem, but Reporting will fail.

So go to SIMGH -> Service Consumption Layer Administration -> General Settings -> Manage Business Object Groups and make sure that only the Business Object groups that you created via the BC sets are active (by default the SharePoint Integration, SPI_*:)

The BC set that you activated during the Wizard created several reporting templates that you should already see on SharePoint. However, not all of these templates will run right away. If you have a BW system connected most of the reports will probably work. If not, then you can still run some demo reports which are executed on the SCL itself. For that you just have to run the report /IWCNT/DEMO_REP_LP_CONFIG on the SCL which performs some required configuration (like creating required RFC destination). 


You must be Logged on to comment or reply to a post.
  • Tnx Holger for the clear overview and sharing the nasty parts and usual error's with us.
    Looking forward to your next blogs

    Cheers, Pim de Wit (@pimdewit)

  • Hi,

    Even we followed the same we are facing some errors. and I can post those errors.we have configured the SCL system perfectly without any Failures. But when we try to create Site in Share pont we are facing issues. Please suggest us as you are an expert in this.


  • Hello, please help me with the following doubt... the user SP_ACCESS wich authorizations must have in DUET?

    As I have seen, the user is just used to stablish an http connection, and in my system the used was created with SAP_ALL & SAP_NEW and those authorizations are not necessary.

    • The SP_ACCESS user does not need to have have any permissions. It is only required to authenticate the call for a specific webservice initated from the SharePoint server. It certainly does not required SAP_ALL & SAP_NEW.