Configuration and setup HANA XS Apps with HANA DB SSO (BASIS Activities)
This is my very first blog in this community and from the community form where I learned a lot, I feel great to give back.
This is a long time coming blog from me and below are some of the steps that I used to configure the SAP HANA XS apps (HANA live apps) such as KPI modeler, Analytics foundation apps and so on for which the content is in the HANA DB (In the form of the HANA delivery units we apply for those apps) but the apps are viewed in the FIORI URL. So to make this perfectly work we have below steps such as applying the delivery unit for the app, Web Dispatcher routing configuration, SSO between ECC ABAP and HANA DB and finally replication of ABAP users in HANA DB. Though these configurations are used less now a day, due to the introduction of S4 and its own FIORI apps but the different steps and configuration explained here can be used in different use cases.
ECC EHP 8 with HANA DB.
Importing delivery units:
Make sure to check the FIORI apps library for the frontend and backend requirement (HANA DB in this case) for you app.
Our apps require below delivery units so I am going to take the same as example here to show,
There are several ways to deploy delivery units. Below are the popular methods,
- Through the HANA studio. (which is shown)
- Through command line in OS level.
- Through HANA cockpit. (best way to do)
Take a Backup before start of this activity and try it in DEV or testing environment first.
Below procedures show how we can import delivery unit through HANA Studio.
Step 1: Click File – Import.
Step 2: Select the Delivery unit option from the SAP HANA Content drop down.
Step 3: Select the System (HANA SID) into which you want to import.
Step 4: Select the Appropriate TGZ file downloaded and extracted from SAP Market place
Similarly import all the delivery units required.
Web Dispatcher Configuration:
Please add the following Web dispatcher entry as below,
wdisp/system_(no.) = SID=EXT, EXTSRV=http://<hana host name>:80(nr), SRCURL=/sap/hba;/sap/hana/
hana host name= Host name or IP of server when HANA DB was installed.
Nr= Instance no of the HANA DB.
According to above,
When /BOE service is called it goes to wdisp/system_0
When /sap is called it goes to either wdisp/system_1 or wdisp/system_2
In case of /sap it can redirect to either system 1 or system 2, so the web dispatcher checks the next service to /sap called- if /sap/hana or /sap/hba is called it goes to system 1 if other service is called (i.e) /sap/<any service other that hana or hba>/ it goes to system 2.
For the above condition to work – below parameter is maintained,
Next: let us proceed configuration for SSO between FIORI Front end and HANA DB.
It has three steps.
Exporting ECC front end system (FIORI ABAP System) certificate:
Click Export Own Certificate of FIORI Front end:
Import that file in HANA DB:
To do that,
Launch HANA Cockpit: Right click – Configuration and monitoring – Open SAP HANA cockpit.
Open the App — Certificate store:
Now Select the certificate which you have exported from FIORI Front end System.
Then Open the App — Configure Certificate collections App:
Now Create Certificate Collection by clicking the + button:
Give it a name.
Click Edit and edit that certificate collection:
Edit the purpose.
Then add the certificate which you previously imported by add certificate Button:
My login ticket issuing URL for this SSO is my Fiori URL (which the end user is going to use): In my case the Web dispatcher URL through which FIORI is accessed.
Copy this URL and keep it a note pad.
Then Connect HANA DB in HANA Studio:
Open Administration by double clicking the HANA DB SID in studio.
In the Configuration tab, expand the section xsengine.ini–>authentication. (add if the authentication option is missing)
Set (or add) the parameter: logonticket_redirect_url.
Enter the URL that points to the system and service issuing SAP logon tickets, for example:
Type the parameter in key and
Paste the URL copied in notepad in the value box,
Step 3: XS Engine Run-time configuration.
Maintain the run-time configuration for the application that you want to use SAP logon tickets for user authentication. In this case the HANA live apps and the configuration has to be maintained for those contents.
You can use the Web-based SAP HANA XS Administration Tool to complete this step. The tool is available on the SAP HANA XS Web server at the following URL:
Choose XS Artifact Administration.
- Locate the root package of the application whose run-time configuration you want to modify. In this case the HANA live apps and the configuration has to be maintained for those contents.
Use the Packages list in the Application Objects plane.
- In the Security & Authentication tab, enable support for SAP Logon/Assertion Ticket.
Do the same for all Application root package.
- Save the changes you have made.
* Synchronizing ECC users and DB users: (To create users in Db directly from ABAP system):
First Connect to DB in T-Code DBCO:
Add a new entry:
Fill the details and connect to Db with Sufficient privilege (SCHEMA user is preferred):
Then we have to maintain entry in table.
Entry to be maintained:
DBCO Connection name and Client from which you need to create DB user.
So Go to SM30 to maintain the table USR_DBMS_SYSTEM
Maintain the entry
DBCO connection and source client for DB user creation.
Kindly verify the same using SE11
Then try to execute the program RSUSR_DBMS_USERS in SE38
It should execute without any error in the admin client (source client for DB user creation):
For other clients or if the above activity is not done it will display error as below;
To verify the above configuration is done correct- now go to SU01, enter a ABAP user id,
Now a new tab DBMS will appear in the user edit menu,
From where you can create a DB user for the ABAP user you have edited and also administer them (like granting roles).
Eg: Refer below screenshot,
Now hand it over to FIORI consultants to activate the HANA DB dependent apps.
If the web dispatcher routing is missing, we will get the below error – cannot load tile. Because the Tile is unable to access the content in HANA DB due to the missing route
If the Web dispatcher configuration is done correctly and SSO configuration is not done – it will ask for DB level credentials.
The same will happen if the user is not created in DB level or sufficient role is missing.
All configuration (web dispatcher and SSO configuration is done), it will show the KPI apps after FIORI login.
The above procedures for HANA live apps in ECC product but my guess is it is not required for S4 HANA product. Though this configuration is old, there are different configuration setup such as web dispatcher configuration, SSO and replicating users in ABAP to HANA DB which can be used in different cases.
Thanks all for your time.
Note: the above activity is performed in a test system and if any details found here is similar in anyway is strictly coincidental.