Diagnosing “Access Denied. Service is Down” Messages from NetWeaver
At some point in the implantation process we’ve seen the message “Access Denied. Service is Down” When implementing, updating or even running SAP NW IDM. This document will go into a few tips for troubleshooting this message. Hopefully adding a few funny quotes will also help set the mood.
In my experience with these issues I’ve found it’s good to check the following categories:
1. Network Infrastructure.
“I know engineers, they LOVE to change things.” – Dr. Leonard McCoy, Star Trek: The Motion Picture
First things first, check the firewall settings and make sure all of the relevant ports are open. I can’t tell you how many times I’ve had a project stymied because a network engineer did not recognize one of the IDM project’s ports and shut them down. Some initial ones to check:
| Port | TCP | UDP | Service |
|---|---|---|---|
| 50×00 | X | Your SAP instance | |
| 1521/7 | X | Oracle Database | |
|
2483 |
X | X | Oracle database listening for insecure client connections to the listener, replaces port 1521 |
| 2484 | X | X | Oracle database listening for SSL client connections to the listener |
| 1433 | X | Microsoft SQL Server Database (Server) aka Browser service, if running multiple instances, ports can also be assigned dynamically, so check with the DBA! | |
| 1434 | X | X | Microsoft SQL Server Database (Monitoring) |
| 389 | X | X | Microsoft Active Directory /Enterprise LDAP Directory |
Also double check DNS. If you’ve set up a dedicated instance of NetWeaver for IDM to use, it’s possible that the system was not entered into local DNS and/or the firewall as well. These are fairly simple, yet surprisingly common things.
2. NetWeaver
“Aye sir, the more they overtech the plumbing, the easier it is to stop up the drain.” — Scotty, Star Trek III: The Search For Spock
Remember, the BASIS team are your friends. Keep them in the loop and talk to them during your implementation / upgrade / ongoing operations. If new SCAs need to be deployed for WebDynpro or new EARs for REST or GRC, make sure they know about it and don’t be afraid to keep after them. This might be the easiest “false positive;” you’re sure that you’ve told the BASIS team what needed to be done and what the deadlines were, but it’s YOUR project, so YOU follow up!
Also double check that NetWeaver and its database are up. This is critical when implementing or updating. More so if NetWeaver is undergoing maintenance. Make sure you’re aware of the maintenance windows before screaming that the system is down.
3. JCBC Configuration in NetWeaver Administrator
Spock: We are traveling at warp speed. How did you manage to beam
aboard this ship?
Kirk: You’re the genius. You figure it out.
-Star Trek (2009)
Finally, check with the BASIS team and make sure that the IDM installation was done correctly per this SAP Document. (Login Required)
There are three things to look at here:
1. Always make sure that the data source name is correct. It should be: “IDM_DataSource“
2. Make sure you are using the correct database drivers. I’ve written an article about it here. and that you are using the correct database JARs.
3. Finally, When you look at the configuration in NetWeaver Administrator, you’ll notice a spot for database login credentials. Note that these need to be for the PROV user (e.g., mxmc_prov) and the password is correct. I have seen issues, particularly on Oracle databases, where the password has been changed and the change in password is not updated in NetWeaver Administrator. This turns into a classic example of “It was working yesterday and now it’s not working today”
When All else fails:
Spock: Consider the alternatives, Mr. Scott.
Scott: We have no fuel! What alternatives?
Spock: Mr. Scott, there are always alternatives.
-“Star Trek: The Galileo Seven
Kind of related to the previous section, but I wanted to be able to put in one more quote, and besides, it’s slightly different.
Make sure all services are running, the most important is the JMX service in NetWeaver (tc~idm~jmx~app) I have seen in the past when the NetWeaver server is rebooted that this one service does not start automatically. Once it gets a manual “jump start” there are no further problems.
I’d even extend this a little bit further to double check database, security, and other services that might be relevant to how NetWeaver and IDM work in your environment.
I’m leaving this as an open document so that if anyone has further notes, observations or strategies they can add them. If there are other things that need to be explored, please leave a comment.
And of course all quotes are (c) to their respective owners.
Useful port information – http://www.stengel.net/tcpports.htm
Heads up on the MS SQL port:
The following is for MS SQL:
But this also does not account for M$ having set dynamic instance ports, so if you have firewalls to work with you will need the DBA to set a static port.
I would also recommend TCP and UDP columns as that can also make or break things, while troubleshooting! 😀
Whoops, that's a typo! Thanks Billy, I will fix that right away and add in 1434.
I don't even want to get into Dynamic ports since I'm not a DBA, but I suppose it should be mentioned. 🙂
Billy, can you either edit or let me know what is TCP and UDP?
Thanks!
Matt
Not a problem, how does it look now; I also added some edits on the dynamic port for MS SQL and new ports for Oracle.
Thank you, Billy!
Quotes from Star Trek... how could I resist?! *sigh*
Thank you for this troubleshooting checklist, Matt! I have found, that #3 and #3 3/4 are most of the time the problems in our case.
Especially because of reboots we tend to see the message pretty often, for the service doesn't start up automatically with our system and I have to push it every time. :/ Lazy thing!
Regards,
Steffi.
Steffi, I knew you would like that touch! Seriously, glad you enjoyed it. Feel free to expand on it.
Matt
Awesome Document!! 🙂
Thanks! Rates and likes always appreciated!
thanks for sharing, matt!
On my case, the user MXMC_PROV was locked. After I unlock the user at Database level everything is OK.