Immediately after installing a NetWeaver Java system there are a handful of basic configuration steps common to most systems, regardless of usage type. For the most part these are well-covered in the installation guide and the online help documentation, as well as various SAP Notes, but here I will summarize the steps and give a few recommendations about options. Examples will be for a Windows/SQL Server platform, but generally you should be able to substitute your own platform.

NetWeaver 7.4 SR2 Java Post-Install Basic Configuration

Options During Installation

Installation Guide

The installation itself is well described in the installation guide found at http://service.sap.com/instguides -> Installation & Upgrade Guides -> SAP NetWeaver -> SAP NetWeaver 7.4 -> Installation -> 2 - Installation - SAP NetWeaver Systems -> Installation: Systems Based on SAP NetWeaver 7.1 and Higher -> MS SQL Server -> Java.

Media

You will need to download from http://support.sap.com/software.html -> Installations and Upgrades -> Browse our download catalog -> SAP NetWeaver and complementary products -> SAP NetWeaver -> SAP NETWEAVER 7.4 -> Installation and Upgrade -> Microsoft Windows -> Microsoft SQL-Server:

• NW 7.4 SR2 Java 1/2


• NW 7.4 SR2 Java 2/2


• SAP Kernel 7.42 Windows Server on x64 64bit

Then from Installation and Upgrade -> SOFTWARE PROVISIONING MGR 1.0 -> Windows on x64 64bit:

• SWPM10SP07 (or successor)

If you don't already have a copy of SAPCAR for unpacking archives, you can find it at Support Packages and Patches -> Browse Download Catalog -> Additional Components -> SAPCAR -> SAPCAR 7.20 -> Windows on x64 64bit.

Diagnostics Agent

It's easy to miss in the guide, but the recommendation is to install the Diagnostics Agent before installing the application server. This is done with the same SWPM tool as for the primary installation, and uses the same kernel archive as a source. After launching SWPM, choose Generic Installation Options -> Diagnostics in SAP Solution Manager -> Install -- Diagnostics Agent with 7.41/7.42 Kernel.

The Diagnostics Agent installation will simultaneously install the SAP Host Agent.

One important note is to choose your destination drive carefully, as this will end up being the same destination drive for your AS Java (they both reside under the same \usr\sap folder, in different subfolders). Subsequent installations of SAP components on the same host will default to (and generally be forced to) the same drive as the first installation, so this is when you are making that decision.

NetWeaver Administrator Remote Access

Typically the first step after completing the installation (and getting a backup) is to allow remote access to NetWeaver Administrator (NWA). As you will be using this tool quite a bit for the remainder of the configuration, it makes sense to do this first. By default, access to NWA is restricted to browsers installed on the local host, i.e. the server itself, which is only useful if you intend to constantly use Remote Desktop to the server console. While it certainly makes sense to restrict which workstations or network segments have access to this powerful tool, you will likely want to expand it to beyond just the server console.

From the server console, open Windows Explorer and navigate to \usr\sap\<SID>\SYS\global\security\data. Make a backup copy of the file icm_filter_rules.txt and then edit the file.

First, you will probably want to insert some line breaks to make it more readable, as out-of-the-box it appears to be all on one line. Then insert one or more lines so that the resulting file looks like this:

# ICM Rewrite Rules for NWA (restrict access to local host and internal segment)

if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]

if %{REMOTE_ADDR} !stricmp ::1 [AND]

if %{REMOTE_ADDR} !regimatch 10.x.x.*

RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/.*$ /nwa/remote_access_error [QSA]

In the 4th line, substitute the appropriate network segment for "10.x.x.*" to include your administrative workstation.

Restart the system and confirm that you can access NWA via http://<hostname>:50000/nwa to confirm correct configuration.

SAP License

Next up is the SAP License. From NWA, navigate to Configuration -> Infrastructure -> Licenses. Use Change System Type to set the type of system (dev, test, production, etc). Make a note of the hardware key.

In a different browser window, navigate to http://support.sap.com -> Keys, Systems & Installations -> View or request license keys -> Request Key from Install. Select the appropriate Installation Number, click New System, and fill in the appropriate information, including the hardware key. After submitting, you will typically get an email response back from SAP in a matter of minutes with the license in an attached file. Save the file.

Back in NWA, in the Licenses screen, click Install from File and browse to the received file.

System Data in SAP Support Site

Now, switch back to your support.sap.com window. Select Keys, Systems & Installations -> Manage my system data -> View and edit your system data. Search on your new SID and edit the system.

At this time you should maintain the Usage Type (i.e., Adobe Document Services, etc), the kernel version and patch, the SAP Router information, and basic details about the DB Server (hostname, IP address, instance numbers (00 and 01), and 'yes' to Message Server; don't worry about OS and DB versions, as they'll be corrected automatically later). This provides a base to which Solution Manager can later synchronize details.

SPML Access

Later, when you execute Managed System Configuration in Solution Manager, it will be necessary for at least one administrative user to have spml (Service Provisioning Markup Language) access, as described in Note 1647157 (How to Set up Access to the SPML Service on AS Java).

From NWA, navigate to Configuration -> Identity Management. Switch to view Roles, then click Create Role. Give the new role the following attributes:

• Unique Name: Z_SPML_FULL_ACCESS


• Assigned Users: Administrator (or create a dedicated service user for Solution Manager access with user management privileges)


• Assigned Actions:
  
  
  
  • Search on *spml* and select and add the following two Actions:
    
    
    
    • Spml_Write_Action
    
    
    • Spml_Read_Action
    
    
    
    
  
  
  
  

SSL

Configuration of SSL is described in the online help at http://help.sap.com/saphelp_nw74/helpdata/en/4a/015cc68d863132e10000000a421937/frameset.htm. Here, however, is an overview of the steps.

Cryptographic Library

The cryptographic library (CommonCryptoLib 8.4) is included with the 7.42 kernel, so there is no need to separately download and install it. You will find it already present at \usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll.

Ticket File

What is missing, however, is the 'ticket' file. You can create your own easily enough, however.

Navigate to \usr\sap\<SID>\J00\sec. Create an empty text file and save it as ticket (no extension). That's it. Without this, SSL will not function.

SSL Access Point

In NWA navigate to Configuration -> Security -> SSL. Under SAP Java Instances confirm that SSL Status is green. If it's not, the most likely cause is a missing ticket file (see above). Note at this point it is normal for the Status under SSL Access Points to be red.

• Under SSL Java Instances click Edit.


• Under SSL Access Points click Add.
  
  
  
  • Set the Port to 50001 and save. Do not restart at the prompt.
  
  
  
  

SSL Key Pair

• Ensure you have the appropriate CA (Certificate Authority) root certificate available. If not, you can generally download it as an X.509 Certificate (.cer) file from your chosen CA. If there are any other CA root certificates necessary to enable trust of other systems by this system, make them available now, too.


• Select Back or Home at the top of the screen and navigate to Configuration -> Security -> Certificates and Keys.


• Select the Key Storage View ICM_SSL_xxxxx.


• Delete all the default View Entries (SAPPassportCA, ssl-credentials, and ssl-credentials-cert). Note that these are copies of templates found in the service_ssl view, so they can always be recovered.


• Click Import Entry.
  
  
  
  • Entry type: X.509 Certificate
  
  
  • Browse to and import the CA root certificate.
  
  
  
  


• Click Create.
  
  
  
  • Entry Name: <hostname of this system>
  
  
  • Leave most other fields at default (RSA, 2048 bits, etc).
  
  
  • Select the checkbox for Store Certificate.
  
  
  • For commonName enter the fully-qualified domain name (FQDN) of your system. I.e., javahost.domain.com
  
  
  
  


• Select the new private key you just created and click Generate CSR Request.
  
  
  
  • Choose the options required by your CA. If this is an internal-only server and you are using your own CA, such as Microsoft Certificate Services, select Base64 PKCS#10 and download the .pem file.
  
  
  
  


• In a new window, navigate to your CA and submit your certificate request using the file you just downloaded. If you are using MS Certificate Services as an internal CA, choose Advanced certificate request and Submit a certificate request by using a base-64... Open the file you downloaded with Notepad and copy the contents into the Saved Request field and submit.


• When you have the response from the CA, download it as Base64 encoded certificate chain and save it as hostname.p7b.


• Back in NWA, with your private key selected, click Import CSR Response, browse to the p7b file, add it and import it.


• Under Key Storage Views, with the ICM_SSL_xxxxx view selected, click Export View to PSE. A restart of the SSL Provider is necessary, but you can wait until after you configure the next section.

SLD Data Supplier Connection

Although you probably configured this during the installation, it's likely that it didn't "take" and you'll need to configure it again now.

• Still in NWA, navigate to Configuration -> Infrastructure -> Destinations


• Under Destination List click Create.
  
  
  
  • Destination Name: SLD_DataSupplier
  
  
  • Destination Type: HTTP
  
  
  • URL: http(s)://<SLD hostname>:<SLD http(s) port>/sld
    
    
    
    • I.e. https://sldhost.domain.com:50001/sld
    
    
    
    
  
  
  • Select the checkbox for Ignore SSL Server Certificates
  
  
  • Authentication: Basic (User ID and Password)
  
  
  • User Name: SLDDSUSER (or SLD_DS_<SLDSID> if you have a newer release SLD)
  
  
  
  


• Click Create again
  
  
  
  • Destination Name: SLD_Client
  
  
  • All other details are the same as for SLD_DataSupplier
  
  
  
  


• Navigate to Configuration -> Infrastructure -> SLD Data Supplier Configuration


• Click Collect and Send Data and ensure success.

Restart System

Restart your application server (to enable SSL), then logon using https://<hostname>:50001 to check the certificate and configuration.

Logon to your SLD system and confirm successful registration of your new AS Java.

You're now ready to proceed with Managed System Configuration in Solution Manager, after which you can set up a maintenance transaction to apply the latest Support Package Stack. That, however, is beyond the scope of this blog post.

This has been a quick overview of the basic initial configuration steps common to all AS Java 7.4 systems.