If you use Remote Role Assignment (RRA) in a federated portal network (FPN), and have encountered some performance or availability issues on the consumer portal whenever the producer portal is down, the following information is relevant for you.
When using Federated Portal Network in the SAP Enterprise Portal, one of the considerations that need to be addressed is the availability of the producer portal.
The following is a quote from SAP Note 880482 – “FPN: Federated Portal Network Central Note”:
Performance regression on FPN consumer portal when producer portal is not available:
An SAP NetWeaver [enterprise portal] consumer can become unresponsive when any of its registered producer portals are either unavailable or not responsive. When planning to shut down or restart a portal that functions as a producer for any other consumer portal, you must first block the connection to the producer portal from its respective consumer portals using the FPN administration UIs.
It is expected that the producer portal is up and running at all times, because unexpected downtime or lack of proper planning from the FPN perspective can damage the consumer portal functionality.
To overcome these issues, there are several options, described below.
Planned Producer Portal downtime
In case of a planned downtime of the producer portal, it is recommended to block access to the producer in advance. It can be done easily using the UI under System Administration -> Federated Portal.
For SAP Enterprise Portal 7.3 and above, under “Manage My FPN Connections”, you can prevent/allow access to connections (as consumer or as producer):
In addition, for newly-created FPN connections, you can control access to and from your system via the “Connection Options” tab under the Control Panel.
You can read more about it in the following documentation:
If you haven’t upgraded yet to 7.3 or above and still using the legacy SAP Enterprise Portal 7.0 versions, you can control the access to the Producer portals under “View My Producers”:
Take into consideration the following facts:
- When a producer blocks access from a consumer, the block is applied only after the dedicated cache on the consumer is cleaned.
- When a consumer blocks access to a producer, the block is applied to the current users only after a new browser session is opened by them on the consumer portal.
It is highly recommended to upgrade to a newer version, such as 7.4 / 7.5.
Refer to Everything you wanted to know about SAP Enterprise Portal Upgrade
Unplanned Producer Portal downtime
For cases where the producer portal is not available unexpectedly, new configurations have been added in enterprise Portal 7.3 and above. These configurations were added in order to slightly improve the performance of the consumer portal when the producer portal is down.
If your consumer portal is one of those versions, then this option is relevant for you.
To check for the relevant SPs where it was added, refer to SAP Note 1718291 – “Consumer Portal availability when producer Portal is down”.
With this new configuration, you can control the timeout interval of SOAP calls to the producer portal. Once such a timeout occurs, the mechanism blocks that producer portal. You can also configure the length of time this producer will be blocked.
In addition, there are two approaches in case such a call gets a timeout after the defined interval – blocking for all users, and blocking only the users who encounter the issue.
Following is the information quoted from the note:
First, decrease the timeout value for the remote call (The default is 3 minutes):
Go to NWA on the consumer portal:
Configuration -> Infrastructure -> Application Modules.
Look for ‘com.sap.portal.ivs.global.bridge’ and in the ‘web module details’ select ‘SenderBridge’.
Set the ‘SOAPCallTimeout’ parameter for a desired time. The recommended value is 30 seconds. The value for this parameter is in milliseconds so for 30 seconds you should put 30000.
Save the changes and restart the service/application in order to apply the changes.
Secondly, in the ‘web module details’ select ‘SecuritySessionManager’.
This service has a parameter which determines the behavior of the consumer in this case.
There are 2 approaches for solutions from which you can choose:
Approach 1 – blocking for all users:
If you would like to prevent every user from suffering the long login time process, due to a producer down time, you should configure the ‘blockAllUsersOnError’ parameter to ‘all’.
In this case, whenever the first user encounters a timeout event for the remote call, all other users who will log in in the future will not trigger a remote call and the login process will be normal.
The administrator can unblock the problematic producer portal by navigating to the Federated Portal Iview, -> System Administration -> select the connection with this producer portal -> connection -> allow access to remote content.
In addition, the parameter ‘BlockingInterval’ of the ‘SecuritySessionManager’ service, determines for how long this producer will be blocked.
*** This configuration is recommended when there is a problem with the producer portal and it is crashing and not running. [It should be set before the crash 🙂 ]
Approach 2 – blocking only user who encounters the issue:
Set the ‘blockAllUsersOnError’ parameter to ‘user’ and save.
This configuration will prevent the current user’s session from triggering a remote call to the producer that caused the timeout and it will remain blocked until the user logs out of the consumer portal and logs in again.
After you set the parameters, click on ‘More Actions’ -> View Corresponding to Application.
Stop and Start both services ‘SecuritySessionManager’ and ‘SenderBridge’ on all instances.
Overcoming consumer unavailability
In a case where the consumer portal is not available at all, it might be that all threads are taken by the SOAP calls. The available steps:
- If possible, start the producer Portal, in order to prevent from such cases in the future.
- Disconnect one instance from the Web Dispatcher / Load Balancer, so that end users will not be able to reach it. This operation will ensure that no new problematic threads are generated.
- Restart the instance in order to release all threads, and make the portal of this instance available again.
- Log in to that instance with an administrator that has no remote roles assigned, and configure the relevant properties from SAP note 1718291. In addition, if the producer is still not available, block the producer portal, as described under Planned Producer Portal downtime section.
- Restart the instance and connect it back to the Web Dispatcher / Load Balancer.
- Restart the rest of the instances to release all other threads.