Filtering URLs by using Permission Table in SAP Web Dispatcher

Let us say, you have installed a Web Dispatcher in the DMZ and it is used so that the business partners can send SOAP messages over the internet to you. From a security perspective, you may want the business partners to access the SOAP URLs alone; they should even be calling admin related URLs.

To achieve this, you can use a permission table (ptab) in the Web Dispatcher.

Create a file (say ptabfile) which allows SOAP URL pattern /XISOAPAdapter/MessagingServlet*, so that a call to the SOAP URL (http://<host>:<port>/XISOAPAdapter/MessagingServlet?channel=<party>:<sendersystem>:<CC_sender>) is permitted. The contents of the file would then be:

P    /XISOAPAdapter/MessagingServlet*
D   *

Add the following parameter to the web dispatcher profile file:
wdisp/permission_table = <absolute_path_to_ptabfile>

Restart web dispatcher for the change to get activated.

When a call to the web dispatcher is made containing the pattern http(s)://<web dispatcher host>:<web dispatcher port>/XISOAPAdapter/MessagingServlet*, the Web Dispatcher reads the first line of the ptabfile and finds that it is permitted. As it is a valid rule, it stops evaluating further permissions (thereby ignoring deny all patterns D   *). The end result is that the caller can proceed further.

If a call to the WD admin port (http(s)://<web dispatcher host>:<web dispatcher port>/sap/admin) is made (for example), the WD evaluates the first line, finds it irrelevant, then proceeds to the next line which matches the URI and evaluates it a deny all. The end-user/business partner calling this URL will get a 403 error.

SYSTAT IDocs Causing High IO Load

The status idocs processed by SAP PI/XI can cause high CPU wait times (because of increased I/O activity). If you notice high CPU usage with most of the CPU spent on wait, check if there are SYSTAT IDocs are being processed (you can check SMQ1/SMQ2 with slow moving queues)

Checking high wait CPU on AIX using topas

If you check the SQL statements being executed at that moment, you might notice the following statement:

SELECT * FROM IDXRCVPOR WHERE IDOCNUMBER = <some IDOC number>

You might notice the SQL statement showing up in SM66 for 5-6 seconds and the explain statement would show very high IO-Costs in it is performing a full table scan.

To address this performance problem, create an index on IDOCNUMBER column of the table IDXRCVPOR

Posts labeled performance

How to Clear RFC Function Module Metadata in SAP PI

The RFC Adapter in SAP PI stores all the metadata of the function modules. This means it caches the definition of function modules, structures and other datatypes. This cache is filled when the Communication Channel processes its first messages after the system restart, and pins the metadata so that the subsequent messages need not fetch the metadata again. Having the metadata readily available at runtime improves the message processing speed.

If the function module is changed in the Sender or Receiver system, its metadata has to be updated in the RFC Adapter's metadata repository. This can be done by:

  1. Changing the Communication Channel in Integration Builder, so that a cache update on the entire channel is triggered (which includes removing the old metadata)
  2. Restarting the RFC Adapter service
  3. Restarting the J2EE Engine(s)

All the above three steps will clear the metadata and it is fetched when a new message is processed by the Communication Channel.

get the posts to your inbox

Clearing Empty File Repositories in BI 4.x using Fileserver Prune Command

To cleanup empty folders from the file repositories

  1. Stop the input and output file repository server using CMC
  2. From windows command prompt, run the following command to clean up the input repositories
  3. "C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\fileserver" -rootdir "c:/Program Files (x86)/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/FileStore/Input/" -prune -fg
  4. Now run the following command to cleanup output repositories
  5. "C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\fileserver" -rootdir "c:/Program Files (x86)/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/FileStore/Output/" -prune -fg
  6. Start the file repository servers using CMC

Extracting Multipart SAP DVDs in Unix .exe followed by .zip

Large SAP DVDs are split into multiple parts. The first part is a rar file and the next parts are .rar or .zip files.

One option is to double-click on the exe file from your windows PC, the DVD will be extracted to a folder, upload the folder to your UNIX system. The better way of doing this is extracting the files on UNIX system itself.
  1. Place all the DVD part files (.exe and .rar files in a single folder)
  2. Download the command line extractor unrar for your UNIX system.
  3. Run the unrar command against the .exe DVD part file:
    unrar x <archiv-name(exe-file)> <targetdir>
  4. As all the files are in a sequence (part1, part2 ...) all the files will be picked up and extracted.
  5. NOTE: On some system you need to execute ./unrar xvf <filename>.exe or ./unrar xvf <filename>.rar