Skip to Content
User Experience Insights
Author's profile photo Roland Kramer

SAP MacGyver – Installing SAP SolMan 7.2

Last Changed: 8th of October 2021

SAP MacGyver – Installing SAP SolMan 7.2


Why SAP MacGyver? Ok, that is obvious. There is no SAP Product like the SAP Solution Manager 7.x which needs more creativity with a skillful set of knowledge and capabilities about the Complete Range of SAP (NetWeaver) Technology with the Challenge of a Software Release which is out of Maintenance like SAP NetWeaver 7.40 and the usage of SAP BI-JAVA 7.50
Like Angus MacGyver and his tools: the Swiss Army Knife, Duck Tape, Paper Clip, Matches and a lot of SAP Background Knowledge plus Creativity is necessary to finalize the Task successfully.

Blog – SAP Solution Manager 7.2 SPS13 is Released, What’s In It for Me?

Since 2007, as the Solution Manger 7.1 was mandantory for the NetWeaver Upgrade to 7.3x and higher, I have implemented several times the SAP SolMan 7.x with different SP Levels and Releases. No Installation was the same as the first one, but the main Challenges/Problem remain the same even after almost 1 1/2 decades. I even succeeded a 7.1 Systemcopy which was impossible to do, but with the BW Postcopy Automation is was and is also today.

Installation of the SolMan ABAP and JAVA Instances 

You start with the creation of the ABAP and JAVA Instance in the Maintenance Planner and select the needed usages types and for ABAP 7.40 the SAP_UI Frontend 7.54. Please Note, the assigned SAP JAVA Version is now 7.50, where already the first Challenge begins.

Blog – Updates to enhanced Maintenance Planner

The good news: There is now the Service Release 2 (SR2) for SolMan 7.2 based on SP12 available, and the delta to apply is now marginal, if you imagine that SR1 was based on SP04. However this Delta hast to be applied after the initial Installation with SAINT for ABAP and SUM for JAVA.


separate Download of SR2 for SolMan 7.2

For the current SolMan 7.2 Installation based on SR2, you still have to unzip the four Files in it’s own Directory to the Download Folder to be able to recognized by the SWPM 1.0 which is still be used. (e.g. SWPM10SP32_6-20009701.SAR)


ABAP Instance SM9 for SolMan 7.2

As the Add-On Focus Build 2.0 is not Part of the SR2 Export, you have to install this after the technical ABAP Installation with tx. SAINT including the rest of the Support Packages.
Automated Initial Setup of ABAP Systems Based on SAP NetWeaver


Installed Software on SM9

Calling sapinst for the ABAP Instance with the stack.xml

./sapinst SAPINST_STACK_XML=/software/SolMan/MP_Stack_1001276584_20210924_SM9_server.xml

For JAVA this will not work, as otherwise the error Message “The content has been tampered” will occur. in the second Step, you can use the stack.xml to apply SP13 and the JAVA Patches.


Note 2449282 – The integrity check for [TOC.XML, usages_data.xml, pv_descriptor.xml] of Java Component NW740 SR2 (folder JAVA_J2EE_OSINDEP_UT) failed!
Note 2498029 – Solman installation Error: requested package Java Component NW740 SPS12 or NW750 (folder JAVA_J2EE_OSINDEP_UT) using standard installation option with or without STACK XML

Install the Diagnostic Agent (correctly)

Attention (Spoiler): this Chapter contains already Information which will be later important in the configuration of the Managed System with the configured SolMan 7.2

Typical Error Messages assigned to this Task HostAgent stub failed.

Exception: javax.naming.NoPermissionException: 

Exception during getInitialContext operation. Wrong security principal/credentials. [Root exception is Login failed.]

CX_SOAP_CORE : Error when calling SOAP Runtime functions: 
SOAP-ENV:Serverjava.lang.NullPointerException: while trying to invoke the method of a null object loaded from local variable 'point'java.lang.NullPointerException: while trying to invoke the method of a null object loaded from local variable 'point' 

P4 connection to Solution Manager Diagnostics (SMD) server failed
Connecting to SMD server ms://server.domain.ext:8019/P4 failed

SAP Notes assign to the Task/Topic (way too much “Jugend forscht”:

Note 1786051 – Configuration check for managed system returns “No FQDN found in Host”
Note 1799138 – Configuration check returns “The definition of Technical System ‘{SID}~{STACK}’ is not correct: ‘{SID}~{STACK}’ : Operating System ‘{OSName}’ of Host ‘{hostname}’ must have at least one Software Component Version” – SolMan
Note 1822831 – Web Service Soap Errors in solman_setup
Note 1862333 – Common Host Agent issues displayed in Agent Administration
Note 2183995 – Data Supplier Processing in SAP Solution Manager 7.2 in LMDB
Note 2187696 – CCMS agent disabled: AS Java System Overview gray lights
Note 2201640 – The definition of Technical System ‘<SID>~HANADB’ is not correct: ‘<SID>~HANADB’: Technical System must be installed on at least one Host.
Note 2414713 – The definition of Technical System <SID~TYPE> is not correct. No instance found under installed Technical System
Note 2436986 – Registration and Managed System Setup of SAP HANA in SAP Solution Manager
Note 2499629 – Manual activities in LMDB when switching the Outside Discovery by Diagnostic Agent to Outside Discovery by SAP Host Agent
Note 2554489 – Register AS ABAP system to SLD in RZ70 using HTTP connection with path prefix “/sld” doesn’t work
Note 2556432 – Switch Outside Discovery from Diagnostics Agent to SAP Host Agent
Note 2637838 – NWA “System Overview” shows grey lights and N/A status – Best Practices for Troubleshooting
Note 2836143 – How to directly register managed system to LMDB in SAP Solution Manager
Note 3054925 – Skip RFC connection error message in RZ70 when HTTP connection is maintained
Note 3073139 – SLD registration is deactivated due to incomplete calling parameters.
Note 3076443 – SAP Host Agent 7.22 PL53
Note 3090021 – Error ‘<SID>~ABAP’: Operating System ‘Linux~<version>’ of Host ‘<hostname>’ must have at least one Software Component Version
Note 3092345 – Define CA Introscope: wrong Diagnostics Agent

First Install/Update the SAP Host Agent to the latest Version and make sure the parameters in the file host_profile are set correctly to support the SSL configuration.

Note 3076443 – SAP Host Agent 7.22 PL53

SAP Help – Configuring SSL for SAP Host Agent on UNIX

# executed as root with switch to user sapadm
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x is!seCret -r /usr/sap/hostctrl/exe/sec/server-csr.p10 "CN=server.domain.ext, O=SAP AG, OU=IDNA, C=DE"
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x is!seCret -O sapadm
server:/usr/sap/hostctrl/exe/sec #
# send the certification request (server-csr.p10) and get the response (server-csr.p7b)
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x is!seCret -c server-csr.p7b
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x is!seCret -v
server:/usr/sap/hostctrl/exe/sec # dir
-rwxrwxr-x 1 sapadm sapsys 5239 Oct  6 14:53 SAPSSLS.pse
-rwxrwxr-x 1 sapadm sapsys  115 Oct  6 14:51 cred_v2
-rwxrwxr-x 1 sapadm sapsys  964 Oct  6 14:51 server-csr.p10
-rwxrwxr-x 1 root   root   6559 Oct  6 14:52 server-csr.p7b
server:/usr/sap/hostctrl/exe/sec #


server:/usr/sap/hostctrl/exe # vi host_profile
# add the following Information and restart with ./saphostexec -restart
SECUDIR = /usr/sap/hostctrl/exe/sec
ccms/enable_agent = 1
hostexec/startoscol = true
saphostagent/ssl_setup = true
service/admin_users = sapadm dasadm
service/http/hostname = server.domain.ext
ssl/server_pse = /usr/sap/hostctrl/exe/sec/SAPSSLS.pse
# update SHA - ./saphostexec -upgrade -archive SAPHOSTAGENT53_53-80004822.SAR

Secondly, Install the Diagnostic Agent with SWPM 1.0 SP32 (or higher)

Note 1680045 – Release Note for SWPM 1.0 (recommended: SWPM 1.0 SP32)


the following screens are not meaningful and already lead to problems which are hard to solve later. The Port of the JAVA SCS Instance is NOT the P4 or P4S Port. Try not to skip the Phase, as later on the script generates additionally mismatches in the SDM configuration.


Connection Information for the Diagnostic Agent


the SCS Port of the SolMan JAVA Instance has 4 Digits

server:dasadm > cd /usr/sap/DAS/SMDA98/script/
server:dasadm > stopsap r3
server:dasadm > ./ sldconf hostname:"sapms://server.domain.ext" port:"51801" user:"SMD_RFC" pwd:"is!seCret" use_ssl:"true"
server:dasadm > ./ managingconf hostname:"sapms://server.domain.ext" port:"51805" user:"SMD_RFC" pwd:"is!seCret"
server:dasadm > startsap r3
server:dasadm > ls -lart ../SMDAgent/log/
drwxr-xr-x 9 dasadm sapsys   4096 Oct  6 18:47 ..
-rw-r--r-- 1 dasadm sapsys   6992 Oct  6 18:48 dpc.0.log
-rw-r--r-- 1 dasadm sapsys   7658 Oct  6 18:48 eem.0.log
-rw-r--r-- 1 dasadm sapsys   4749 Oct  6 18:49 smd.0.connector.listener.log
-rw-r--r-- 1 dasadm sapsys    689 Oct  6 18:49 e2emai.0.log
-rw-r--r-- 1 dasadm sapsys    622 Oct  6 18:49 e2edcc_iis.0.log
drwxr-xr-x 2 dasadm sapsys   4096 Oct  6 18:49 .
-rw-r--r-- 1 dasadm sapsys   9688 Oct  6 19:37 SMDAgentApplication.0.log
-rw-r--r-- 1 dasadm sapsys 109497 Oct  6 21:04 e2edcc_host.0.log
-rwxr-xr-x 1 dasadm sapsys 166874 Oct  6 21:04 SMDSystem.0.log
-rwxr-xr-x 1 dasadm sapsys 530335 Oct  6 21:04 smdagent_trace.0.trc
-rw-r--r-- 1 dasadm sapsys  31169 Oct  6 21:04 e2edcc_db.0.log
-rw-r--r-- 1 dasadm sapsys 142068 Oct  6 21:04 e2edcc.0.log
# if you not see all these files, then the script was executed incorrectly!

Check the SMD runtime properties for the correct SDM Agent Connection String

server:dasadm > more ../SMDAgent/configuration/
# correct the string, as the script creats wrong entries. These strings are correct.
# the P4 or P4S Port must be correctly defined, before you can use them
server:dasadm >

Optional Test, to see if the SAP Host Agent is “trustworthy”

/usr/sap/hostctrl/exe/sapcontrol -nr 99 -user "" "" -function ConfigureLogFileList add /tmp

Check in the Agent Administration that the Agent is available and you can trust the Agent.




Connection Status – Agent Administration

If the Agent Administration cannot determine the Status, check the User/Passwords in the Agent Administration Application Tab.

Finally, the configuration should look like this (use the MSG Server Connection for the SolMan Configuration). You can switch later to the P4 or P4S connection method, but keep in mind that these type of connection is not suitable for cluster installations.


Diagnostic Administration successfully enabled

If possible, correct the settings in the connected host and check the availability of the Diagnostic Agents, as an incorrect configuration will interfere in several steps later.


Assign the Diagnostic Agent to the host – SolMan Secure Setup

Nevertheless, the Information of a SAP HANA Database always shows incomplete in several occasions, despite of the time you spend in the investigation of the missing data.

Error Messages during the Managed System Configuration on SAP HANA

The definition of Technical System 'SJ9~JAVA' is not correct: 'SJ9~JAVA': Database 'HM9' must have at least oneHost.
The definition of Technical System 'H4S~HANADB' is not correct: 'H4S~HANADB': Database 'H4S' must have one Software Component Version.
The definition of Technical System 'H4S~HANADB' is not correct: 'H4S~HANADB': Installed Technical System 'H4S~HANADB~server' must have at least one Server
No instances could be loaded from landscape for H4S/HANADB
No Content supplied to EFWK Setup. Nothing to Configure. Please check PPMS Information in Landscape.

This is an Example during the the Managed System Configuration.
Make sure that you cascade the Managed System Configuration for the components as follows:

  • (1) the host where the SAP Components are Installed
  • (2) the SAP HANA database where the ABAP/JAVA Instances are Installed
  • (3) the ABAP Instance which installed on SAP HANA
  • (4) optional: the JAVA Instance which is connected to ABAP


switch the Status to “Manually Performed”

as the SolMan has several “Self healing capabilities” and a lot of Job’s are executed in Background, the status of the configuration changes from red to green.


Managed System Configuration – Overview


Starting the SolMan 7.2 Configuration

First Thing is beside the correct System Parameters, is the Checklist for Support Backbone Update
The Document – SAP First Guidance – SEM/BW Modelling in SolMan 7.x with MOPz/MP also contains additional Information for this Step.

Details about the correct SAP Parameters can be found also in the Document – SAP First Guidance – SAP BW on HANA – Edition 2021

Details about the Diagnostic Registration can be found in the Document – SAP First Guidance – SEM/BW Modelling in SolMan 7.x with MOPz/MP

Note 2113602 – SOLMAN_SETUP in Solution Manager 7.2 – Responsibility of individual steps and helpful notes or KBAs

csi/enable = 0
icm/min_threads = 16
icm/max_threads = 32
icm/max_conn = 1024
icm/keep_alive_timeout = 360
icm/conn_timeout = 50000
icm/host_name_full = $(SAPLOCALHOST).$(SAPFQDN)
icm/HTTP/logging_client_0 = PREFIX=/, LOGFILE=http_client_log, LOGFORMAT=%t %H %a - %r %s %b %{Content-Length}i %L, MAXSIZEKB=102400, FILEWRAP=on
icm/HTTP/file_access_1 = PREFIX=/clientaccesspolicy.xml,DOCROOT=$(DIR_INSTANCE)/sec, DIRINDEX=clientaccesspolicy.xml
icm/HTTP/file_access_2 = PREFIX=/crossdomain.xml,DOCROOT=$(DIR_INSTANCE)/sec, DIRINDEX=crossdomain.xml
icm/server_port_0 = PROT=HTTP,PORT=80$(SAPSYSTEM),PROCTIMEOUT=360,TIMEOUT=3600
icm/server_port_1 = PROT=HTTPS,PORT=81$(SAPSYSTEM),PROCTIMEOUT=360,TIMEOUT=3600,SSLCONFIG=ssl_config_1
icm/ssl_config_1 = CRED=SAPSSLS.pse,VCLIENT=1
icm/server_port_2 = PROT=SMTP,PORT=25$(SAPSYSTEM),PROCTIMEOUT=180,TIMEOUT=2000
icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR=$(DIR_DATA)/cache
icm/HTTP/server_cache_0/size_MB = 100
icm/HTTP/max_request_size_KB = 1024000
is/HTTP/show_detailed_errors = TRUE
icm/HTTPS/client_sni_enabled = TRUE
is/SMTP/virt_host_0 = *:25$(SAPSYSTEM)
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 3
mpi/total_size_MB = 64
ms/server_port_0 = PROT=HTTP,PORT=82$(SAPSYSTEM)
ms/server_port_1 = PROT=HTTPS,PORT=83$(SAPSYSTEM)
ccl/fips/enable = 1
sec/libsapsecu = $(SAPCRYPTOLIB)
sec/rsakeylengthdefault = 2048
spnego/enable = 1
ssf/ssfapi_lib = $(SAPCRYPTOLIB)
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_sni_enabled = TRUE
ssl/ssl_lib = $(SAPCRYPTOLIB)

SSL Parameter in ABAP Instance – SM9


You can check your Cipher Configuration as follows (Client/Server):

lt5087:sm9adm 69> sapgenpse tlsinfo -v -c 150:PFS:HIGH::EC_P256:EC_HIGH
lt5087:sm9adm 69> sapgenpse tlsinfo -v -p /usr/sap/SM9/DVEBMGS16/sec/SAPSYS.pse 135:PFS:HIGH::EC_P256:EC_HIGH


If you are uncertain, which Ports are available you can call the Message Server URL as follows: http://server.domain.ext:<MSG-Port>/msgserver/text/logon

ccl/fips/enable = 1
icm/HTTPS/client_sni_enabled = TRUE
icm/host_name_full = $(SAPLOCALHOST).$(SAPFQDN)
icm/keep_alive_timeout = 240
igs/listener/rfc/disable = 1
j2ee/dbdriver = /usr/sap/SJ9/hdbclient/ngdbc.jar
j2ee/instance_id = ID1899919
jstartup/max_caches = 500
jstartup/service_acl = *
jstartup/trimming_properties = off
jstartup/vm/home = $(DIR_SAPJVM)
jstartup/vm/parameters = -Dsap.runtime.vm.allow=*;SAP*;*;*
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 3
sec/libsapsecu = $(ssl/ssl_lib)
sec/rsakeylengthdefault = 2048
spnego/enable = 1
ssf/name = SAPSECULIB
ssf/ssfapi_lib = $(ssl/ssl_lib)
ssl/ciphersuites = 135:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH:MEDIUM:+e3DES::EC_P256:EC_HIGH
ssl/client_sni_enabled = TRUE
ssl/pse_provider = JAVA
ssl/ssl_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
icm/server_port_0 = PROT=P4SEC, PORT=51805, TIMEOUT=240, PROCTIMEOUT=900, SSLCONFIG=ssl_config_0
icm/ssl_config_0 = VCLIENT=0, CRED=/hanamnt/data/data2/SJ9/J18/sec/SAPSSLS_51805.pse
icm/server_port_1 = PROT=P4, PORT=51804, TIMEOUT=240, PROCTIMEOUT=900
icm/server_port_2 = PROT=IIOP, PORT=51807, TIMEOUT=240, PROCTIMEOUT=900
icm/server_port_3 = PROT=IIOPSEC, PORT=51806, TIMEOUT=240, PROCTIMEOUT=900, SSLCONFIG=ssl_config_3
icm/ssl_config_3 = VCLIENT=0, CRED=/hanamnt/data/data2/SJ9/J18/sec/SAPSSLS_51806.pse
icm/server_port_4 = PROT=TELNET, PORT=51808, TIMEOUT=240, PROCTIMEOUT=900
icm/server_port_5 = PROT=HTTPS, PORT=51801, TIMEOUT=240, PROCTIMEOUT=900, SSLCONFIG=ssl_config_5
icm/ssl_config_5 = VCLIENT=0, CRED=/hanamnt/data/data2/SJ9/J18/sec/SAPSSLS_51801.pse
icm/server_port_6 = PROT=HTTP, PORT=51800, TIMEOUT=240, PROCTIMEOUT=900

SSL Parameter on JAVA Instance – SJ9

The SCS Port of the JAVA Instance can be used for the connection of the Diagnostic Agent (7.53) to the SolMan Instance. Later you can switch to the P4S Socket.


Typical Error Message to this Topic:

ERROR => IcmHandleMonitorMessage: MpiGetInbuf failed (rc = 14) [icxxmsg.c    1027]
ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c   2002]
ERROR => MsHttpLBThread: SapSSLSessionStart (rc=-102) SSSLERR_PEER_CERT_UNTRUSTED [msxxhttp.c   9808]
ERROR => illegal path specified {00000041} [http_plg.c 4844]


Note 1668882 – Note Assistant: Important notes for SAP_BASIS 730,731,740,750
Note 2827658 – Automated Configuration of new Support Backbone Communication – Update 02
Note 2869143 – Composite note for handling of Digitally Signed SAP Notes in Note Assistant (SNOTE tx)

Patching SolMan 7.2 SPS 13 will be requested by the SolMan Setup anywhere.
Support Package: SAPK-72013INSTMAIN
Category: Program error

Patching SAP_UI 7.54 is also mandantory. See the Document – SAP First Guidance – complete functional scope (CFS) for SAP BW/4HANA


Update tx. SNOTE

In the ABAP Instance you should first run the Task Lists/Program in this Order as the two Task Lists might check for different Technical Users and provoke that the S-User(s) are locked in the SAP OSS Backend.





tx. SRT_ADMIN in Client 000








Until here, a lot of Problems can happen, for Example:

  • locked technical User(s)
  • wrong credentials or User
  • missing Certificates
  • missing SAP Corrections
  • missing Parameters and Configurations
  • etc.

Please Note: for SolMan 7.x and the activation of the SAP Backbone you will need two different kind of technical communication users:

  • a technical User “Administrator”
  • the technical User(s) itself



Further SAP Notes assign to the Task/Topic:

Checklist for Support Backbone Update – SP 10
Note 2174416 – Creation and activation of Technical Communication Users – SAP ONE Support Launchpad
Note 2359837 – Troubleshooting for “Support Hub Connectivity” in Solution Manager 7.2 up to SP04
Note 2454045 – SAP Support Backbone Connectivity Troubleshooting in Solution Manager 7.2 – Guided Answer
Note 2500061 – Support Hub Connectivity: Configuration Steps in SAP Solution Manager 7.2 as of SP05
Note 2522789 – How to check error ‘ Web service ping failed for logical port LP_SISE_SUPPORTHUB ‘ in Solution Manager 7.2 as of SP05
Note 2880840 – Known issues in SAP Solution Manager 7.2 after the change in Support Backbone starting January 2020
Note 2907312 – receive method failed with return code SY_SUBRC 1 in job SAP_LMDB_DOWNLOAD_CONTENT
Note 3010412 – SAP Support Backbone – Configuration Overview, Responsibilities and Troubleshooting


Update all necessary Certificates in ABAP and JAVA

Before starting with the SolMan configuration, you should renew all necessary Certificates on the ABAP and JAVA Instances, to avoid any follow up Problems (which will occur definitely … ;-))

SAP Help – SAP Support Backbone Update Checklists

Important SAP Notes:

Note 2500061 – Support Hub Connectivity: Configuration Steps in SAP Solution Manager 7.2 as of SP05
Note 2631190 – Download location of SSL certificates required for Support Hub Connectivity configuration
Note 2716729 – SAP backbone connectivity – SAP Parcel Box configuration
Note 2827658 – Automated Configuration of new Support Backbone Communication – Update 02
Note 2820957 – Destinations SAP-SUPPORT_PARCELBOX and SAP-SUPPORT_NOTE_DOWNLOAD giving error 401 Unauthorized
Note 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
Note 2911301 – SAP Support Portal connection – Renew client certificate of technical S-user
Note 2946444 – SAP Support Portal connection – Renew client certificate of technical S-user according to KBA 2911301
Note 3053425 – Download test note 2424539, “HTTP request for SAP-SUPPORT_PORTAL failed: Unauthorized”
Note 3079094 – In tx. STC01: Task list SAP_BASIS_CONFIG_OSS_COMM is missing on systems with Basis release 7.31 or lower



tx. STRUSTSSO2 on the ABAP Instance – SM9




check the ICM log for errors


Import the Root Certificate to the System PSE (SAPSYS.pse)


solve all issues in the ICM log to avoid follow up errors


NWA Security overview in the JAVA Instance – SJ9


update Certificates and create SSL access Points


all SSL access Points on the JAVA Instance are active


Don’t underestimate this preparation steps, without the correct Setup here several Activities in the SolMan Activation will have inconsistencies or even fail. As I have checked a lot of Customer Incidents pointing always to the same kind of problems, this is really crucial.

Now it is a good time to run a Backup of the System, as you don’t want to do this again in case you have to restart the configuration … 😉

Starting the SolMan Configuration 7.2

SAP Help – Security Guide – Secure Configuration

You should create the user SOLMAN_ADMIN to run the Secure Configuration to avoid the usage of the Profil SAP_ALL. Furthermore the SMUA (Solution Manager User Administration) should be setup in a different Client or System, e.g. where also the FRUN 2.0 Add-On can be reside.

But running the Setup without the SAP_ALL Profile, the Secure Configuration might fail several times. If the User has SAP_ALL, the User will get always this annoying message above.


check table PRGN_CUST in Advance

SAP Notes related to the Topic/Task:

Note 2250709 – Solution Manager 7.2: End-User Roles and Authorizations Corrections as of SP01 and higher
Note 2257213 – Authorizations for RFC users for SAP Solution Manager 7.2 SP02 and higher
Note 2512575 – Check User Management Engine Settings activity in SAP Solution Manager 7.2 as of SP03
Note 3070170 – Diagnostics agent cannot establish a P4 connection to the managed system


as the SLD is still used in the Background somewhere run the SLD setup first




Setup of the SLD on the JAVA Instance – SLD


as you already updated some Roles from the mentioned SAP Note, you can also run tx. SU25 in advance to save some time later like the creation of the local SLD.

Initial Load January 2021 – Initial Full Import for SAP CR Content 2021
Delta Load September 2021 – cimSAP-09.2021CRDelta-09.2021

Update the local SLD with the Data from the ABAP (SM9) and the JAVA (SJ9) Instance like described in the Document – SAP First Guidance – complete functional scope (CFS) for SAP BW 7.50



tx. SU25


Here we have now the “Chicken – Egg Problem”. At this Stage, the ABAP Instance SM9 has no Information about the assigned JAVA Instance SJ9. So calling tx. SOLMAN_SETUP will not start due the missing entries in Table HTTPURLLOC






Calling tx. SOLMAN_SETUP for the first time should be a User with enough Permission as the created User SOLMAN_ADMIN doesn’t have all authorizations at this time.




Check Prerequisites successfully done


Always read carefully the Documentation, as I missed already some settings here
tx. AISUSER => User/Customer Nr./S-User



Set Up Connection to SAP successfully done


All Essential Corrections already applied before


Maintain carefully the Technical ABAP User


Tipp: use tx. SU10 and switch the Users from System to Service, in case you miss additional logon Messages.


tx. SU10 – Switch the Users to Type “Service”


System Preparation successfully done


Be aware, that the System Preparation must be execute successfully and every Step appears as green. Every shaky decision here and you will pay for it in the upcoming steps.

SAP Notes related to the Task:

Note 1886567 – SSO wizard fails when configuring template evaluate_assertion_ticket
Note 2068872 – HttpOnly and Secure cookie attributes
Note 2182476 – Batch Job REFRESH_ADMIN_DATA_FROM_SUPPORT in Solution Manager 7.2 as of SP05
Note 2250709 – Solution Manager 7.2: End-User Roles and Authorizations Corrections as of SP01 and higher
Note 2257213 – Authorizations for RFC users for SAP Solution Manager 7.2 SP02 and higher
Note 2461900 – SSSLERR_PEER_CERT_UNTRUSTED error in dev_icm trace
Note 2512575 – Check User Management Engine Settings activity in SAP Solution Manager 7.2 as of SP03
Note 2573231 – Trying to generate the diagnostics agent certificate on step 2.3 “Diagnostics Agent Authentication” fails with error: “[SMDSetupAuthenticationVi.generateAndExportRootCertificate] Access Forbidden”
Note 2728600 – SSSLERR_ when accessing HCI/(S)CPI/NEO/CF servers under *
Note 2966538 – SSSLERR_PEER_CERT_UNTRUSTED shows in AS Java ICM trace after importing trusted certificates into keystore views
Note 3070170 – Diagnostics agent cannot establish a P4 connection to the managed system


Infrastructure Preparation – it’s getting crucial

the setup of the System Landscape Directory (SLD based on JAVA) and it’s Connection to the Lifecycle Management Database (LMDB based on ABAP) is complex and time intensive Task. the HTTP Destination Naming needs LMDB_* at the beginning and correct and unlocked Connection Users.



choose – Automatic Import into SLD


create two HTTP Destinations to the local SLD on SJ9


wait until the LMDB Synchronization is finished


make sure the SolMan ABAP/JAVA Instances are detected now


If you not properly set the SSL Access Points and System Parameters for the JAVA Instance and/or you have mismatches in the ABAP SSL configuration, you might see no entries or only the server host values and ports without the Domain Extension.
Nevertheless, you will nee the full qualified Domain Name URL to your ABAP and JAVA SolMan Instance. It makes no sense to continue here, if this is not fulfilled.
the Parameter login/ticket_only_https = 1 should be removed or use the Kernel default (0)


Typical Errors during this Task

Error; exception of type 'CX_LMDB_SM_SELF_REGISTRATION' occurred, message: AS ABAP of SAP Solution Manager not in LMDB, see long text
L3 - Could not reach test WS through system settings (ICM/HTTPURLLOC)


SAP Notes related to the Task:

Note 2204859 – L3-Failed to reach test WS through System Settings (ICM/HTTPURLLOC)
Note 3058713 – End Points or Logical Ports are not created in step Create Logical Ports in SAP Solution Manager 7.2
Note 2573231 – Trying to generate the diagnostics agent certificate on step 2.3 “Diagnostics Agent Authentication” fails with error: “[SMDSetupAuthenticationVi.generateAndExportRootCertificate] Access Forbidden”



check the correct Update the SolMan ABAP/JAVA Instances to the local SLD


check the JCo Destinations WEBADMIN/SOLMANDIAG manually


errorthe Step: Create RFC Connectivity is not correct. Go to the RFC Destination and modify the entries and add the ABAP Message Server Details and ensure that the JCo Providers in the JAVA Instance are correctly started. Furthermore the assigned Users should have correct Roles and are not locked



modify the RFC Destination and add the message server details


Details of the RFC Destination SOLMANDIAG


Connect at least the Diagnostic Agent on the SolMan System


Call the SAP Diagnostic Agent Administration as follows:



SAP Diagnostic Agent Administration 1-2


SAP Diagnostic Agent Administration 2-2

In case you already installed the SAP Diagnostic Agent, but the connection without success, you can run the following commands to fix the connection with the tool

Error Message:

[SMDManager.registerAgent] Receive registration for an already existing entry. Registration REJECTED

Note 1907891 – How to change the server name of Diagnostics Agent – Solution Manager

server:dasadm 90> pwd
server:dasadm 87> stopsap r3
server:dasadm 87> ../../script/ changeservername servername:"server"
server:dasadm 87> pwd
server:dasadm 88>../../ managingconf hostname:"sapms://server.domain.ext" port:"<P4S-Port>" user:"SMD_RFC" pwd:"<password>"
server:dasadm 88> vi ../configuration/
# replace sapms\://server.domain.ext\:<P4S-Port>/P4S with p4s\://server.domain.ext\:<P4S-Port>
server:dasadm 87> startsap r3
server:dasadm 89> 



SAP Diagnostic Agents are available in the Administration


Enable the SAP BW Instance in the ABAP SolMan System


Please Note: Without a correctly Configured SAP Diagnostic Agent on the SolMan Host, the existing CA Introscope Installation cannot be detected and ignoring this, would again end up in follow up Errors in the SolMan Configuration. Make sure that everything is correctly activated here.

Note 1579474 – Management Modules for Introscope delivered by SAP
Note 2909673 – Introscope 10.7 Release Notes

CA Application Performance Management Version 10.7 can be called with the following URL:




CA Introscope – SAP Dashboard


Define CA Introscope – Details


optional: Set Up E-Mail Communication


Configure CRM Basics – End of the Infrastructure Preparation


SolMan Infrastructure Preparation successfully finished

Mandantory Configuration – Basic Configuration – Final Configuration


Configure Basis Functions


Schedule Jobs in SM9


Configure manually Functions in SM9








Create/Check Basic Dialog User


Basis Configuration successfully completed

SAP Notes assigned to the Task

Note 2820089 – Dump CX_EEM_EXCEPTION in method GET_JOB_DETAILS in ABAP Program CL_EEM_UTILITIES==============CP

Solution Manager 7.2 is configured

wow, really? the Solution Manger 7.2 is fully functional (at least for the basic tasks)


Solution Manager Configuration successfully finished


Setup – Fiori Launchpad for SM9


Setup – Focus Build 2.0 on SM9


For this complex Blog the following resource were used:

  • 38,2 GB SAP Data were downloaded for Installation (w/o HANA update)
  • app. 60 PPT slides were created from different screenshots
  • almost 100 jpegs were created
  • app. 50 SAP KBA Notes were analyzed several times
  • at least 5 Wikis consulted
  • at least 100 SAP Note corrections were applied in advance
  • at least 10 inconsistencies found
  • at least 7-10 errors found and and accepted with “manual Executed”
  • no animals were harmed
  • one Swiss Army Knife available on the Desk
  • app. 20l coffee consumed
  • time effort unpayable



Roland Kramer, SAP Platform Architect for Intelligent Data & Analytics, SAP SE


“I have no special talent, I am only passionately curious.”


Assigned tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Marco Krapf
      Marco Krapf

      Fantastic Blog Post! Special thanks for all the SAP Notes and the other hyperlinks 🙂

      Author's profile photo Roland Kramer
      Roland Kramer
      Blog Post Author


      Author's profile photo Peter Monaghan
      Peter Monaghan

      Never let it be said that Solution Manager isn't nothing short of an adventure. 🙂