Skip to Content
Technical Articles
Author's profile photo Roland Kramer

another Mystery solved – connect Diagnostic Agent properly

Last Changed: 05th of April 2022

while the Installation and (Basis) Configuration of SolMan 7.2 is really a complex task, it shows that the correct Implementation of the Diagnostic Agent become an even more complex task.

Blog – SAP MacGyver – Installing SAP SolMan 7.2


Install and connect the SAP Diagnostic Agent properly

It is always beneficial to start with a complete new Installation, before spending too much time fixing an existing Setup. This allows you to use the latest Version of the SAP JVM8, SAP Host Agent 7.22 and the current 7.53 SAP Kernel. Despite the Version you install, once the Installation is finished the Diagnostic Agent get the latest Version for the connected SolMan 7.2

First Install/Update the SAP Host Agent to the latest Version and make sure the parameters in the file host_profile are set correctly to support the SSL configuration.

Note 540379 – Ports and services used by SAP
Note 3093121 – SAP Host Agent 7.22 PL54
Note 3113553 – SAP Host Agent 7.22 PL55
Note 3138653 – SAP JVM 8.1 Patch Collection 84 (build 8.1.084)
Note 1858920 – Diagnostics Agent installation with SWPM
Note 2253383 – Diagnostics Agent – SWPM Archive-Based Installation
Note 2573122 – Diagnostics Agent can’t find .sar file

SAP Help – Configuring SSL for SAP Host Agent on UNIX

# executed as root with switch to user sapadm
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x is!seCret -r /usr/sap/hostctrl/exe/sec/server-csr.p10 "CN=server.domain.ext, O=SAP AG, OU=IDNA, C=DE"
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x is!seCret -O sapadm
server:/usr/sap/hostctrl/exe/sec #
# send the certification request (server-csr.p10) and get the response (server-csr.p7b)
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x is!seCret -c server-csr.p7b
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x is!seCret -v
server:/usr/sap/hostctrl/exe/sec # dir
-rwxrwxr-x 1 sapadm sapsys 5239 Oct  6 14:53 SAPSSLS.pse
-rwxrwxr-x 1 sapadm sapsys  115 Oct  6 14:51 cred_v2
-rwxrwxr-x 1 sapadm sapsys  964 Oct  6 14:51 server-csr.p10
-rwxrwxr-x 1 root   root   6559 Oct  6 14:52 server-csr.p7b
server:/usr/sap/hostctrl/exe/sec #

 

server:/usr/sap/hostctrl/exe # vi host_profile
# add the following Information and restart with ./saphostexec -restart
SECUDIR = /usr/sap/hostctrl/exe/sec
ccms/enable_agent = 1
saphostagent/ssl_setup = true
service/admin_users = sapadm dasadm
service/http/hostname = server.domain.ext
ssl/server_pse = /usr/sap/hostctrl/exe/sec/SAPSSLS.pse
# enable SSL - ./saphostexec -install -setup slplugin -passwd
# update SHA - ./saphostexec -upgrade -archive SAPHOSTAGENT54_54-80004822.SAR

 

Secondly, Install the Diagnostic Agent with SWPM 1.0 SP32 (or higher)
Note 1680045 – Release Note for SWPM 1.0 (recommended: SWPM 1.0 SP32)

./sapinst SAPINST_EXECUTE_PRODUCT_ID=NW_DiagnosticsAgent:GENERIC.IND.PD

Detected%20Software%20Packages%20are%20up%20to%20date

Detected Software Packages are up to date

The Port of the JAVA SCS Instance is not the P4 or P4S Port, as it is the 4-digit Ports which is defined in the ASCS Profile of the SAP Java SolMan 7.2 Server.
As the SAP JAVA Implementation misses certain SAP Standard Features like Logon Balancing and Secure Communication, the usage of a Web Dispatcher is mandantory as soon, a load is expected which cannot be hold by a single SAP JAVA Instance/Node.
The most suitable Configuration is to stick to the WebDispatcher Configuration for the SCS Message Server Ports for HTTP/HTTPS as it sticks closely to the attached SAP ABAP Instance.

# mandantory Instance Parameter must be set in a SAP JAVA Instance
ms/server_port_0 = PROT=HTTP,PORT=80$$
ms/server_port_1 = PROT=HTTPS,PORT=81$$
service/protectedwebmethods = DEFAULT
system/secure_communication = OFF

SAP Help – SCS Instance with Integrated SAP Web Dispatcher

Blog – Preparation – SolMan 7.2 Configuration

the SWPM might expect as HTTPS SCS Port 444<SCS Nr.>, in fact it expects  any HTTP SCS Port which can be freely defined, e.g. as 80<SCS Nr.> in the SolMan 7.2 Java DEFAULT.pfl.

However, the SAP Standard Documentation is quite blurry when it comes to the Definition of the Port ms/server_port_1 = PROT=HTTPS for SAP JAVA. By Default this Parameter is not set nor defined.

SAP Help – Parameters for Additional Components to be Included in the SCS Instance => HTTPS note mentioned
SAP Help – Direct SAP Solution Manager Connection
=> talks only about Java SCS Message Server with SSL support, the Term “P4(S)” Connection is misleading. This Connection Type is recommended by SAP.
SAP Help – Security Settings for the SAP Message Server
SAP Help – SAP Solution Manager Connectivity Parameters => 444<SCS Nr.>
SAP Help – TCP/IP Ports of All SAP Products => 443<SCS Nr.>
In an SAP JAVA Instance, the ICM Port is not the HTTP MsgServ Port, these are different Ports and so the Definition on the official SAP Documentation is not clear either.

icm/server_port_0 = PROT=HTTPS, PORT=5$(SAPSYSTEM)01
icm/server_port_1 = PROT=HTTP, PORT=5$(SAPSYSTEM)00
icm/server_port_5 = PROT=P4SEC, PORT=5$(SAPSYSTEM)05, TIMEOUT=240, PROCTIMEOUT=900, SSLCONFIG=ssl_config_5
icm/server_port_4 = PROT=P4, PORT=5$(SAPSYSTEM)04, TIMEOUT=240, PROCTIMEOUT=900
ms/server_port_0 = PROT=HTTP,PORT=80$(SAPSYSTEM)
ms/server_port_1 = PROT=HTTPS,PORT=81$(SAPSYSTEM)
# ms/server_port_1 = PROT=HTTPS,PORT=443$(SAPSYSTEM)

 

To be on the safe side, check the Settings of the HTTPS Port for the SCS Instance in the SAP NetWeaver Administrator => Configuration => Infrastructure => Message server.

check%20with%20the%20SolMan%20NWA%20the%20SCS%20Port%28s%29

check with the SolMan NWA the SCS Port(s)

Connection Information for the Diagnostic Agent

The Definition P4 (SSL) Connection via JAVA SCS Message Server is also misleading, as the P4/P4S Port can be checked with the following URL:

Note 2914769 – Cannot establish connection to URL /msgserver/text/logon

http://server.domain.ext:80<SCS Nr.>/msgserver/text/logon?version=1.2
https://server.domain.ext:81<SCS Nr.>/msgserver/text/logon?version=1.2

the SCS Port of the SolMan JAVA Instance has 4 Digits

Monitor%20the%20further%20Setup%20in%20the%20Agent%20Administration%20Monitor

Monitor the further Setup in the Agent Administration Monitor

 

https://server.domain.corp:5<nr>01/smd/AgentAdmin

SAP Help – connection to the SolMan via P4S Socket

Note 1907909 – How to connect Diagnostics Agent to Solution Manager system directly by using smdsetup script

 

server:dasadm > cd /usr/sap/DAS/SMDA98/script/
server:dasadm > stopsap r3
server:dasadm > ./smdsetup.sh sldconf hostname:"sapms://server.domain.ext" port:"51801" user:"SMD_RFC" pwd:"is!seCret" use_ssl:"true"
server:dasadm > ./smdsetup.sh managingconf hostname:"sapms://server.domain.ext" port:"51805" user:"SMD_RFC" pwd:"is!seCret"
server:dasadm > startsap r3
server:dasadm > ls -lart ../SMDAgent/log/
drwxr-xr-x 9 dasadm sapsys   4096 Oct  6 18:47 ..
-rw-r--r-- 1 dasadm sapsys   6992 Oct  6 18:48 dpc.0.log
-rw-r--r-- 1 dasadm sapsys   7658 Oct  6 18:48 eem.0.log
-rw-r--r-- 1 dasadm sapsys   4749 Oct  6 18:49 smd.0.connector.listener.log
-rw-r--r-- 1 dasadm sapsys    689 Oct  6 18:49 e2emai.0.log
-rw-r--r-- 1 dasadm sapsys    622 Oct  6 18:49 e2edcc_iis.0.log
drwxr-xr-x 2 dasadm sapsys   4096 Oct  6 18:49 .
-rw-r--r-- 1 dasadm sapsys   9688 Oct  6 19:37 SMDAgentApplication.0.log
-rw-r--r-- 1 dasadm sapsys 109497 Oct  6 21:04 e2edcc_host.0.log
-rwxr-xr-x 1 dasadm sapsys 166874 Oct  6 21:04 SMDSystem.0.log
-rwxr-xr-x 1 dasadm sapsys 530335 Oct  6 21:04 smdagent_trace.0.trc
-rw-r--r-- 1 dasadm sapsys  31169 Oct  6 21:04 e2edcc_db.0.log
-rw-r--r-- 1 dasadm sapsys 142068 Oct  6 21:04 e2edcc.0.log
# if you not see all these files, then the script smdsetup.sh was executed incorrectly!

 


Check in the Agent Administration that the Agent is available and you can trust the Agent.

/webdynpro/dispatcher/sap.com/tc%7Esmd%7Eserver%7Eagent%7Eadmin/SMDAgentAdminApplication

/webdynpro/dispatcher/sap.com/tc~smd~server~agent~admin/SMDAgentAdminApplication

Connection Status – Agent Administration

 

If the Agent Administration cannot determine the Status, check the User/Passwords in the Agent Administration Application Tab.

com.sap.smd.agent.application.connectors
com.sap.smd.agent.application.global.configuration

 

com.sap.smd.agent.application.connectors

com.sap.smd.agent.application.global.configuration

com.sap.smd.agent.application.global.configuration

Diagnostic%20Agents%20-%20Overview

Diagnostic Agents – Overview

 

Finally, the configuration should look like this (alternative you can use the MS/P4 Server Connection for the SolMan Configuration). Here you can switch also to P4S (P4 SSL), and keep in mind that these type of connection is not suitable for cluster installations.

Diagnostic%20Agent%20Connectivity%20-%20MS/P4

Diagnostic Agent Connectivity – MS/P4

Diagnostic

Diagnostic Agent Connectivity – P4 SSL

Diagnostic Administration successfully enabled

Advanced%20Agent%20Administration

Advanced Agent Administration

Wiki – Diagnostics Agent and HA Support

Configure%20Agents%20on-the-fly%20for%20FRUN

Configure Agents on-the-fly for FRUN

 


Starting with SP 14 for SolMan 7.2, you can update the cipher suites with elliptic curve algorithms ECDHE and ECDSA for outbound connections in SAP NetWeaver (NW) AS Java. The settings from the following Note are still possible, however it is suitable to switch them to the new values – SSLContext.properties

 

Note 2708581 – ECC Support for Outbound Connections in SAP NW AS Java
Note 3144145 – How to support Elliptic Curve Algorithms in Diagnostics Agent

# edit the following file and add the lines to the existing entry
/usr/sap/DAS/SMDA98/SMDAgent/smdagent.properties
smdagent.javaParameters=-DP4ClassLoad=P4Connection -Xmx256m -Xms256m -XX:MaxPermSize=128m
-Djdk.tls.client.protocols="TLSv1.2"
-Diaik.security.ssl.configFile=file:/usr/sap/DAS/SMDA98/SMDAgent/SSLContext.properties
#
# edit the following file and uncomment the line
/usr/sap/DAS/SYS/exe/jvm/linuxx86_64/sapjvm_8.1.080/sapjvm_8/jre/lib/security/java.security
crypto.policy=unlimited

 

Check

 

You can check the correct configuration after restarting the Diagnostic Agent Service in the Advanced Settings of the Agent Administration Web Page against an existing which supports the new cipher settings, e.g.

Check the SSL Context Properties with your Diagnostic Agent

 

Typical Error Messages assigned to this Task

com.sap.smd.agent.facade.hostagent.HostAgentNotAvailableException: HostAgent stub com.sap.smd.agent.wsclients.jax.saphostcontrol.SAPHostControlInterfaceexecuteOperation failed.

Exception: javax.naming.NoPermissionException: 

Exception during getInitialContext operation. Wrong security principal/credentials. [Root exception is com.sap.engine.services.security.exceptions.BaseLoginException: Login failed.]

CX_SOAP_CORE : Error when calling SOAP Runtime functions: 
SOAP-ENV:Serverjava.lang.NullPointerException: while trying to invoke the method javax.management.openmbean.CompositeData.get(java.lang.String) of a null object loaded from local variable 'point'java.lang.NullPointerException: while trying to invoke the method javax.management.openmbean.CompositeData.get(java.lang.String) of a null object loaded from local variable 'point' 

P4 connection to Solution Manager Diagnostics (SMD) server failed
Connecting to SMD server ms://server.domain.ext:8019/P4 failed

Unable to create SSLContext because of KeyStore Exception java.security.UnrecoverableKeyException: Cannot recover key.)
Unable to open SSL connection to host "itsm.services.sap:443"

 

SAP Notes assign to the Task/Topic (way too much “Jugend forscht”:

Note 1786051 – Configuration check for managed system returns “No FQDN found in Host”
Note 1799138 – Configuration check returns “The definition of Technical System ‘{SID}~{STACK}’ is not correct: ‘{SID}~{STACK}’ : Operating System ‘{OSName}’ of Host ‘{hostname}’ must have at least one Software Component Version” – SolMan
Note 1822831 – Web Service Soap Errors in solman_setup
Note 1862333 – Common Host Agent issues displayed in Agent Administration
Note 2183995 – Data Supplier Processing in SAP Solution Manager 7.2 in LMDB
Note 2187696 – CCMS agent disabled: AS Java System Overview gray lights
Note 2201640 – The definition of Technical System ‘<SID>~HANADB’ is not correct: ‘<SID>~HANADB’: Technical System must be installed on at least one Host.
Note 2414713 – The definition of Technical System <SID~TYPE> is not correct. No instance found under installed Technical System
Note 2436986 – Registration and Managed System Setup of SAP HANA in SAP Solution Manager
Note 2499629 – Manual activities in LMDB when switching the Outside Discovery by Diagnostic Agent to Outside Discovery by SAP Host Agent
Note 2554489 – Register AS ABAP system to SLD in RZ70 using HTTP connection with path prefix “/sld” doesn’t work
Note 2556432 – Switch Outside Discovery from Diagnostics Agent to SAP Host Agent
Note 2637838 – NWA “System Overview” shows grey lights and N/A status – Best Practices for Troubleshooting
Note 2836143 – How to directly register managed system to LMDB in SAP Solution Manager
Note 3054925 – Skip RFC connection error message in RZ70 when HTTP connection is maintained
Note 3073139 – SLD registration is deactivated due to incomplete calling parameters.
Note 3076443 – SAP Host Agent 7.22 PL53
Note 3090021 – Error ‘<SID>~ABAP’: Operating System ‘Linux~<version>’ of Host ‘<hostname>’ must have at least one Software Component Version
Note 3092345 – Define CA Introscope: wrong Diagnostics Agent
Note 2284059 – Update of SSL library within NW Java server
Note 2463712 – Diagnostics Agent TLS 1.2
Note 2538934 – Handshake is failing in AS Java when connecting to a server which only supports TLS_ECDHE ciphers
Note 2569156 – How to create, modify and validate SSLContext.properties file
Note 2616092 – System availability checks: Unable to open SSL connection to host “host:port”. KeyStore
Note 2708581 – ECC Support for Outbound Connections in SAP NW AS Java
Note 2817129 – The Diagnostic Agent continues to use TLS 1.1 even with the TLS 1.2 set in the parameters
Note 2893335 – AS Java TLS handshake failure – unsupported extension
Note 2849162 – Enable the Diagnostics Agent to Support Additional SSL Cipher Suites for IAIK-based Connections
Note 2951143 – java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer!

 


Roland Kramer, SAP Platform Architect for Intelligent Data & Analytics, SAP SE
@SAPFirstGuidance

 

“I have no special talent, I am only passionately curious.”

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Tim Karl
      Tim Karl

      Hello Roland,

      thank you for the helpful overview. Some remarks from my side:

      • in your SWPM screenshot of the installation the port 8019 is used. As mentioned in the bottom of SWPM: the JSCS port should be in the format 81<instance number of JSCS>
      • P4S port configuration is only needed if the agents are connected thru P4 SSL instead of P4
      • "If the Agent Administration cannot determine the Status, check the User/Passwords in the Agent Administration Application Tab" -> I would take a look into SOLMAN_SETUP -> Infrastructure Prep -> Step 2:3: Generation of authentication certificate (User&PWD auth isn't supported in SM7.2 anymore). Next to this Infrastructure Prep -> Step 1.4: Definition of Java (technical) system and automatic executions in Step 2.1 are common root causes
      • I would always mention the common logs: SMDSystem.#.log and SMDAgentApplication.#.log
        • Therefore the Agent Log Viewer is great in the agent admin application
      • Another common root cause for missing agents per host is a missing agent on the fly configuration. Oliver and Christian created a great blog for

      Kind regards

      Tim

      Author's profile photo Roland Kramer
      Roland Kramer
      Blog Post Author

      Hello Tim,

      Thanks for the immediate feedback, appreciated.

      the reason why I have used the HTTP SCS Message Server Port and not the HTTPS Port, is fairly simple: mostly the correct TLS/SSL configuration is not in place and must be available in advance.

      Blog - demystifying TLS/SSL Settings for NetWeaver

      All other issues are handled in the main Blog - SAP MacGyver – Installing SAP SolMan 7.2 where I explicitly mention to check all users in advance before continuing the SolMan Setup and switch the user type "Service" to avoid Password Changes and Locks.

      Furthermore the switch to P4S or P4 SSL is only possible, when these pre requisites are fulfilled. However Customers want to activate maximum security and P4 connections are not suitable for Cluster Installation and this annoying Information Message will not disappear.

      The Agent on-the-fly Configuration is only necessary for FRUN Implementation, SolMan 7.2 can deal without it. Also for the Discovery of SAP IQ Databases it is not necessary and can cause Misunderstandings with the "Simple Diagnostic Agent" Installation (in my opinion)

      SAP First Guidance – SAP NLS Solution with SAP IQ 16.x

      Thanks and Best Regards Roland