Backup Error after Kernel Upgrade

Last week we have been upgraded our kernel  on dev server from 137 t0 221

But the problem arise when we do backup using db13.

Then we do backup using brtools with user ora<SID>. Several error occured but most of them are just about file permission and the backup finished successfully (with brtools command — ora<SID> user)

So the big problem is at TSM Server (we are using TSM – Tivoli Storage Management for backup data)

Our current TSM Version is 5.4 but it’s not compatible with kernel 221. Kernel 221 need TSM version 5.5

client 300 has status not modifiable

A few days ago I have complaint from users, they said when they executing transaction on Personnel Administration (PA), Organization Management (OM) and Time Management (TM) there is a pop up message like this “client 300 has status not modifiable”, but they can save their work. So the pop up just a notification from SAP.

To remove that pop up message, do the following action :

1. Modify tx SCC4 to automatic recording of changes

2. run tcode OOCR

\

Put an ‘X’ to Group = TRSP,  Semm.abbr = CORR

3. Modify SCC4 back to normal

Finish 😀
Now, you can run all transaction on PA, OM and PM without pop up message 🙂

Transport control program tp ended with error code 0232

Last month I’ve change password for user SAPSR3 by mistake
the result from brtools is “password changed successfully in table OPS$CAPADM.SAPUSER for user SAPSR3”

After that I can not do transport
with error : TP_REPORTED_ERROR
Transport control program tp ended with error code 0232

I post a question to sdn forum, here is the link : http://forums.sdn.sap.com/thread.jspa?threadID=1560738&tstart=0

The main problem is that SAP logon mechanism using 2 place to save its user and password. SAP save it on Oracle dictionary and SAPUSER table. One of it password hadn’t changed yet.

So, the solution was running this command : brconnect -u / -f chpass -o sapsr3 -p <password> –> same password with the one that I’ve change 😀

This is the article about SAP Logon Mechanism from saptechies.com :

1. What are the default database users in the SAP environment?

The following database users exist in the SAP environment:

SAPR3 / SAP<sid> / SAP<xyz> / SAPSR3

The SAPR3 / SAP<sid> / SAP<xyz> / SAPSR3 user is the owner of all R/3 objects. The work processes log on to the database with this user. The SAPR3 user was always used for older R/3 releases. However, since several R/3 systems may be present in the same database within MCOD with current releases, you can replace the SAPR3 user with a system-specific SAP<sid> user here. You can define this during the installation. To avoid confusion during homogeneous system copies, as of 4.7 SR1 you can use an SID-independent username, SAP<xyz>, with “SAP” followed by any three characters (see Note 617444). In the meantime, the system proposes the username SAPSR3 by default – irrespective of the SID that the system actually uses.

SAPR3SHD / SAP<sid>SHD / SAP<xyz>SHD / SAPSR3SHD

This user is used temporarily within an SAP shadow upgrade. This user is not required during normal system operation.

SYSTEM

The SYSTEM user is created during the Oracle installation as standard and has extensive authorizations. Some of the objects in the system tablespace belong to this user.

SYS

The SYS user is also created during Oracle installation and also has extensive authorizations. Most of the objects in the system tablespace belong to this user.

OPS$<sid>ADM (NT, UNIX) / OPS$SAPSERVICE<sid> (NT)

The OPS$ users are taken from R/3 and used to set up the connection to the R/3 database and to execute sapdba and BR tools and are created as part of the R/3 installation. For more information about these users, see below.

INTERNAL

CONNECT INTERNAL is a mechanism that you can use to log onto the database without a password. Therefore, strictly speaking, INTERNAL is not a user. For more information about CONNECT INTERNAL (or SYSDBA and SYSOPER connect), see the section below. As of Oracle 9, CONNECT INTERNAL is no longer available – instead, only the “/ AS SYSDBA” and “/ AS SYSOPER” connects are available.

OUTLN

Stored Outlines are managed in the OUTLN user. If this user is missing, ORA-18008 may occur. See Note 722376, which contains further information.

DBSNMP

The DBSNMP user may be created by Oracle, but does not play a role in the R/3 environment.

CTXSYS

The CTXSYS user is only used in conjunction with Oracle and has no role in the R/3 environment. This user is only required if you use Requisite/BugsEye. SAP<sid>DB

TSMSYS

The TSMSYS user is an Oracle-internal user (Transparent Session Migration) that is automatically created as of 10g, but that is of no importance in the SAP environment.

DIP

The DIP user is an Oracle-internal user (Directory Integration Provisioning) that is automatically created as of 10g, but that is of no importance in the SAP environment.

SAP<sid>DB / SAP<xyz>DB / SAPSR3DB

SAP<sid>DB, SAP<xyz> DB or SAPSR3DB is the equivalent to SAPR3 / SAP<sid> / SAP<xyz> / SAPSR3 in the J2EE environment as of Release 6.30.

SAPPCD

In the EP environment, the SAPPCD user is owner of the objects of the Portal Content Directories (PCD).

SAPWCM

In the EP environment, the SAPWCM user is owner of Content Management objects.

2. Where is information about existing users saved?

The data concerning database users is stored in the Oracle dictionary in the SYSTEM tablespace. One exception here is the SYSDBA or SYSOPER connection which can also be set up without accessing the Oracle dictionary.

3. How can I log on to a stopped database?

Normal connections are not possible with stopped databases, because they require an access to the Oracle dictionary. A logon to the database is only possible in this case by means of a SYSDBA or SYSOPER connection.

4. How can I find out which database users exist on the system?

The following query on DBA_USERS returns all users created in the database:

SELECT USERNAME FROM DBA_USERS;

5. What are the standard passwords for database users?

SAPR3 / SAP<sid> / SAP<xyz> / SAPSR3: sap

SYSTEM: manager

SYS: change_on_install

OPS$ user: No password required

INTERNAL: No password required

OUTLN: outln

DBSNMP: dbsnmp

SAP<sid>DB / SAP<xyz>DB / SAPSR3DB: Password is explicitly assigned during installation.

6. How can I change Oracle passwords?

You can use SQLPLUS to convert passwords:

sqlplus “/as sysdba”
ALTER USER <username> IDENTIFIED BY <new_password>;

7. What is the effect for SAP of changing passwords?

Before you change passwords, you should always check whether scripts contain calls with hardcoded passwords. These scripts may have to be adjusted. When you change a password, you should take the following side effects in the standard SAP system into account:

SAPR3 / SAP<sid> / SAP<xyz>DB / SAPSR3DB: To allow continued logon of the R/3 work processes using the OPS$ mechanism, you must also change the password in the SAPUSER table. The simplest way of making a consistent change in the Oracle dictionary and in the SAPUSER table is to use the ” -f chpass” option of brconnect, for example:

brconnect -f chpass -o [sapr3 | sap<sid> | sap<xyz> | sapsr3] -p <new_password>

If the password is only adjusted in the Oracle system and not in the SAPUSER table, the work processes and tools such as R3trans or saplicense fail with ORA-01017.

To avoid unexpected problems (for example, as described in Note 569302), we recommend that you only change the password when R/3 is stopped.

SYSTEM: By default, sapdba and the BR tools are connected to the database with the SYSTEM user and standard password. If you change this now, you can only start the tools by explicitly specifying the user name and password. To do this, use the option “-u <username>/<password>”. Otherwise, calling sapdba, brbackup, brconnect, brarchive and brrestore fails with ORA-01017.

A useful alternative to the SYSTEM user when using the BR*TOOLS is to use the OPS$ mechanism by specifying “-u/”. This mechanism is also used by DB13 actions by default.

SYS: A change to the SYS password does not affect the R/3 System.

INTERNAL: the SYSDBA or SYSOPER connect can be protected in theory with a password stored at the level of the operating system. However, this may cause problems if you want to establish a connection in scripts (for example, startdb) or tools (for example, sapdba) without a password. Therefore, we recommend that you do not activate password protection for the SYSDBA and SYSOPER access.

OUTLN, DBSNMP: Changing the password has no effect on the SAP system.

SAP<sid>DB / SAP<xyz>DB / SAPSR3DB: The J2EE processes can no longer log on to the database and they fail with ORA-01017. To avoid this problem, you must also change the password using the CONFIGTOOL script from the CONFIGTOOL subdirectory of the J2EE installation. Select “Secure Store” and “jdbc/pool/<SID>/Password” to change the password.

8. How can I log on to the database without a password?

Using SYSDBA/SYSOPER connect and the OPS$ user, you can log on to the database without a password. For more information on these connect mechanisms, see below.

9. What happens when I log on with SYSDBA/SYSOPER privileges?

No password is required when you log on with SYSDBA or SYSOPER privileges. Instead of this, the authentication is based on the membership of the calling operating system user to the operating system groups. For more information on this mechanism, see Note 480266.

10. What should I do if the SYSDBA/SYSOPER connect does not work?

If the SYSDBA or SYSOPER connect terminates with an error such as ORA-01017 or ORA-01031, see the causes described in Note 480266.

11. What happens when I log on as an OPS$ user?

You can log on as an OPS$ user without a password. Instead, authentication is based on the name of the relevant operating system user. Only those operating system users that have a relevant OPS$ user in the database can log onto the database with the OPS$ mechanism. For more details, see Note 400241.

12. How can I eliminate problems when logging as an OPS$ user?

Note 400241 describes possible problems in using the OPS$ mechanism and how to solve them.

13. What are the similarities and differences between SYSDBA/SYSOPER connects and the OPS$ mechanism?

Similarities:

• Authentication via operating system
• No password required

Differences:

• Logon string:SYSDBA/SYSOPER:”CONNECT INTERNAL” / “CONNECT / AS SYSDBA” / “CONNECT / AS SYSOPER”OPS$: “CONNECT /”
• Authentication method:SYSDBA/SYSOPER: Group membershipOPS$: User name
• Connection during stopped database:SYSDBA/SYSOPER: possible.OPS$: not possible
• Connection from remote host:SYSDBA/SYSOPER: not possible or only possible with password fileOPS$: possible.
• Use:SYSDBA/SYSOPER: DB start, DB stop, restore, recoveryOPS$: Work process connection, sapdba, BR tools
• Authorizations:SYSDBA/SYSOPER: extensiveOPS$: restricted
• Database user:SYSDBA/SYSOPER: SYS (SYSDBA) / PUBLIC (SYSOPER)OPS$: OPS$<osuser>

14. How can I define the hosts from which links to the database are allowed?

For security reasons, it may make sense to allow users to log on to the Oracle database only from particular servers (from SAP application servers, for example). You can do this by setting the parameters for protocol.ora as described in Note 186119 (tcp.validnode_checking, tcp.invited_nodes).

15. How can I set up an SYSDBA or SYSOPER connection from a remote host?

For security reasons, a SYSDBA/SYSOPER connection from a remote host is not provided as a default function. However, if this function is required in special cases, you can use orapwd to create a password file as described in Note 168243.

16. Why does “CONNECT INTERNAL” not work with Oracle 9 or higher?

As of Oracle 9, “CONNECT INTERNAL” is completely replaced by more transparent calls, “CONNECT/AS SYSDBA” and “CONNECT/AS SYSOPER”. Scripts that contained “CONNECT INTERNAL” must be adjusted accordingly.

17. What is the situation with the users SAPTRANS, SAPDDIC and SAPHOT?

The SAPTRANS, SAPDDIC and SAPHOT database users were delivered a long time ago (R/3 2.x or lower) and are not used by the SAP system. You can therefore delete them using “DROP USER <username>”.

Setting ALE Connection

We have 2 server to be connected.. CAP (production on client 300) and CAY (payroll on client 600)

To set ALE Connection between CAP and CAY, do the following action :

SCC4 –> Find logical system name for CAP and CAY

CAP –> CAPCLNT300

CAY –>  CAYCLNT600

Log on to CAY

SM59 –> Create New ABAP Connection

You have to create user (in this case HR-PHOTO), type = system

Check Connection Test

Log on to CAP

SM59 –> Create New ABAP Connection

You have to create user (in this case HR-PHOTO), type = system

Check Connection Test

Don’t forget to make logical system for both client — tcode = SALE (sorry, I used another client for capturing the image)

but you have to modify SCC4 first (allow all objects) so you can create logical system because we are using cross client table

go to SCC4

go to tcode SALE

Done 🙂

error when upload foto Error in HTTP Access: IF_HTTP_CLIENT->RECEIVE 1 ICM_HTTP_CONNECTION_FAILED

Several days ago we are facing an error when uploading foto on tcode OAAD with this error :

Please make sure to do :

1. SICF –> restart content server interface  (deactivate – activate)

2. SMICM –> make sure ICM Status = running

Also you have to look at the log trace file –> Goto –> Trace File –> Display All

When I check the log, I’ve got this error message :

Thr 1029 *** ERROR => Connection request from (-1/65535/0) to host: casapdev.capcx.com, service: 8020 failed (NIEHOST_UNKNOWN)
Thr 1029 *** ERROR => IcmJ2EEScheduleFunc: Connection to casapdev.capcx.com:8020 failed – please check host configuration (-8)

So, I have 2 problem:

1. Cannot connect to HTTP

2. Wrong hostname

Here is the steps to fix the problem :

1. SE16 –> Create the following entry in the SDOKPROF table:
NAME: USEHTTPPLG
VALUE: OFF

2. RZ10 -> Check icm/host_name_full –> should be blank (not casapdev.capcx.com)

3. Restart sap r3

But there is another error after we restarting the sap r3 –>  “HTTP error: 401 Unauthorized”

what we are doing is :

1. Give authorization to client 230 on SICF –> Content Server

2. Activate certificate on OAC0

–> Environment –> CS Admin

Klik icon Activate

Finish 😀

Disable Multiple Logins in the Same Client

To disable multiple user logins within the same client implement this parameter in the instance profile:
Disable MultipleDisable Multiple Logins in the Same Client

To disable multipDisable Multiple Logins in the Same Client

To disable multiple user logins within the same client implement this parameter in the instance profile:

login/disable_multi_gui_login = 1

If you do not use this parameter in your system, users have the ability to ignore the warning window at the time they try to login to the same client.le user logins within the same client implement this parameter in the instance profile:

login/disable_multi_gui_login = 1

If you do not use this parameter in your system, users have the ability to ignore the warning window at the time they try to login to the same client. Logins in the Same Client

To disable multiple user logins within the same client implement this parameter in the instance profile:

login/disable_multi_gui_login = 1

If you do not use this parameter in your system, users have the ability to ignore the warning window at the time they try to login to the same client.
login/disable_multi_gui_login = 1

If you do not use this parameter in your system, users have the ability to ignore the warning window at the time they try to login to the same client.

 

How about exceptional logins?
In case you’re wondering how to allow multiple logins for certain key users you can implement parameter login/multi_login_users. You can list the user IDs that should be ignored if the parameter above is active in your system.

Lock a Client to Prevent Logons

Do you need to do maintenance on a system and want to make sure nobody logs on to it while you’re working on it?

You can lock a system at the OS level by running: tp locksys pf=tpprofile

Example: To lock your DEV system enter this command: tp locksys DEV pf=saptranshostsapmnttransbintp_domain_dev.pfl

Users will get this message if they attempt to log on: “Upgrade still running. Logon not possible”.

Notice that the message is not exactly accurate. TP locksys is mainly used during release upgrades so the message is kind of generic. But, it works!

To unlock the system, run: tp unlocksys pf=tpprofile

Now you can tell your boss that you know how to keep the users off the system!

Only SAP* and DDIC can log on to any of the clients in the system that has been locked.

 

For detail information go to the following link http://sapdocs.info/sap/uncategorized/frequently-used-procedures-in-sap/

Security Audit Log

The Security Audit Log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP System. By activating the audit log, you keep a record of those activities you consider relevant for auditing. You can then access this information for evaluation in the form of an audit analysis report.

The audit log’s main objective is to record:

• Security-related changes to the SAP System environment
  (for example, changes to user master records)
• Information that provides a higher level of transparency
  (for example, successful and unsuccessful logon attempts)
• Information that enables the reconstruction of a series of events
  (for example, successful or unsuccessful transaction starts)

Specifically, you can record the following information in the Security Audit Log:

• Successful and unsuccessful dialog logon attempts
• Successful and unsuccessful RFC logon attempts
• RFC calls to function modules
• Successful and unsuccessful transaction starts
• Successful and unsuccessful report starts
• Changes to user master records
• Changes to the audit configuration

To configure the audit log –> sm19

To see the audit log –> sm20

To delete old log –> sm 18

 

Before you activate the audit log you have to setup several parameters in RZ10 :

 

rsau/enable: Set to 1 to activates audit logging

rsau/local/file: Name and location of the audit log file

rsau/max_diskspace/local: Max. space of the audit file. If maximum size is reached auditing stops.

rsau/selection_slots: Max. number of filters

rsau/enable: Set to 1 to activates audit loggingrsau/local/file: Name and location of the audit log filersau/max_diskspace/local: Max. space of the audit file. If maximum size is reached auditing stops.rsau/selection_slots: Max. number of filters

the maximum size of an audit file is 2 gigabytes for a single day, so the in case of profile parameter rsau/max_diskspace/local the min value is 1000000kb & maximum value is 2GB

For profile parameter rsau/max_diskspace/per_file minimum is 1MB & Maximum is 2 GB

For rsau/max_diskspace/per_day minimum value should be 3*per_file & maximum 1024 GB.So check these parameter.

For more detail see the following page  http://help.sap.com/saphelp_nw04/helpdata/EN/2c/c59d37d373243de10000009b38f8cf/frameset.htm

 

Professional & Limited Users

to change professional user to limited users do the following step :

1. USMM

System Data :

–> Production

Clients :

–> choose the client you want to classify

Price Lists :

Choose mySAP.com Solution Suite

Then click User Classification  –> F8

select users then click Classify Selected Users

done

Can not export to excel

If some user can not export data to excel file while others can, so you have to check if there is a window like this before saving the data (for exampe YCAVQ0005)

When you click Export icon like this

Export to Spreadsheet

after you choose Spreadsheet, system will display a small window like this

Select Spreadsheet

after you klik OK, system will display

Save As

For some user there is no Select Spreadsheet window, and the saving data will failed like this

what should you do?

On the Export Spreadsheet screen, right click on a cell in the data section of your report, for example, on DN Number then Select Spreadsheet, after that the Select Spreadsheet window will appear 😀