Java connector is a component used for authentication and communication with remote services using JDBC drivers or Java SDKs. It runs as an independent OS process and can be configured and controlled through transaction /DVD/JCO_MNG for local deployment of JCO and /DVD/JCO_MON for JCO monitor.

By default, the Java connector is deployed directly on the SAP ABAP application server and can be managed from the SAP GUI. If the operating system of the application server is Linux x64 or Windows x64, the setup is straightforward.
If SAP runs on a different operating system or architecture, please make sure to follow additional steps in Using custom Java Runtime.

In this section:

Transaction /DVD/JCO_MNG

/DVD/JCO_MNG is the interface for the Java connector (JCO) management.
When the transaction is opened for the first time, a pop-up window asks whether the JCO is going to be deployed locally or if there is a standalone JCO installation that is only going to be monitored.
The crucial configuration parameter is the SAP RFC destination which will be used as a communication channel between SAP and JCO.
In the case of a standalone JCO, the interface only allows checking whether the JCO is up and connected, but the configuration and operation are done remotely (for more information see the chapter (SM-2311) Standalone Java Connector).

Table of Contents:

Prerequisites
Initial setup
- Advanced parameters description
Using custom Java Runtime
- Java runtime environment (JRE)
- SAP Java Connector Library
Central Java instance
Setting up the connection via the proxy server
Custom destination for JCO lock file
SNC configuration
- Sample JCo configuration files with SNC enabled
Upgrading Java connector
Automatic Java connector startup after SAP system restart
Copying Java connector

Prerequisites

SNP JCO Deployment in “RISE with SAP”

If your SAP system is in a RISE with SAP environment, it is necessary to communicate with the SAP vendor about the need to register the JCO as an Add-on.
This will prevent the security tools from stopping the JCO and reporting it as a rogue process.
Technically, the deployment requirements stay the same.
It is worth noting that for connection with external cloud platforms, there is a need to open the network to respective endpoints.
This can be done either directly on the firewall or through the proxy server (the connection is always outgoing, using port 443).

SAP RFC role and user

Java connector uses a dedicated user in the SAP system for registration on the SAP gateway and further communication between ABAP and Java.
This user should be created with the type System and with authorizations limiting his privileges to basic RFC communication.

Pre-created role /DVD/JCORFC is included with the software and can be used as is, or as a template for the custom role.

The required authorization object is S_RFC with these settings:

ACTVT = 16
RFC_NAME = RFC1, RFC_METADATA, SDIFRUNTIME, SYST
RFC_TYPE = FUGR

Java Connector RFC

Java Connector RFC is used to reference the Java service registered on the SAP gateway. Use the template below as a reference.

Settings:

Connection Type: T for TCP/IP Connection
Activation Type: Select Registered Server Program
Program ID: Name of the program how JCO will identify itself when logged on to SAP gateway (Example: DATAVARD_JAVA_CONN)

SAP Gateway Access

External communication with the SAP system goes through the SAP gateway. If the SAP system parameter gw/acl_mode is enabled, there are files reginfo that limit the access of external programs.
In this case, a program needs to have granted access either by wildcard definition or by explicitly defining the program registration name (in our example it is DATAVARD_JAVA_CONN).

More information on the SAP gateway ACL topic can be found on the SAP website Gateway Security Files secinfo and reginfo.

Initial setup

For local JCO deployment switch to the local management by clicking the Deploy local JCO button in the toolbar.

Select the latest JCO version by double-clicking the row on the left side of the screen.
Switch to Edit mode.
Click Fill default values.
Fill in RFC Destination in the General tab.
Fill in Technical user Credentials in the Config tab.
Optionally, customize the Install directory. Logical path </DVD/DEF_JCO_DIR> translates to /usr/sap/<SID>/<instance_dir>/work/dvd_conn/.
If multiple application servers are used, the installation directory must contain </DVD/DEF_JCO_DIR> to enable deployment to the appropriate path containing the INSTANCE directory on each app. server.
Select the latest library in Libraries.
Go back to the General tab, Save, and click Restart to deploy the Java connector.

In a scenario with multiple SAP application servers, the initial deployment needs to be done locally on each app. server. Switch to the respective app. server using transaction SM51.

Advanced parameters description

OS Command for starting Java service: Name of an OS command for starting Java service (SM69).
OS Command for setting access permissions: Name of an OS command for setting execution rights (SM69).
OS Command for 7Zip: Name of an OS command for unpacking libraries and embedded JRE (only if embedded JRE is chosen) (SM69).
Max RAM used: Maximum amount of RAM used by Java service (heap size).
Additional Java starting arguments: Additional arguments used to start the Java service.
Repository destination: Client destination from which repository should be obtained.
Work thread MIN: Number of threads Java service always runs with.
Work thread MAX: Maximum number of threads that can be used by the Java service.
Connection count: Number of connections registered at SAP gateway. The maximum number of connections per JCO instance is 100.
Peak limit: Limit of JCo connections at peak.
Log4j log level: Level of messages collected in logs.
Log4j log deletion: Log retention period.
Log files path: Directory where the log files will be saved.
JAR path: Path where the JCO JAR file will be created.
Log4j config path: Path where the log4j config file will be created.
Server config path: Path where the server config will be created.
Destination config path: Path where the destination config will be created.
Avoid JCO config file creation: Special option which prevents automatic overwriting of existing JCO files. Useful for cases when manual modification of configuration files is needed (troubleshooting).
Use JCO dir for parquet conversion: If required, JCO performs data conversion into PARQUET format. This is by default done in memory; when this option is active, conversion is done using temporary files in the JCO_install_dir/parquet subdirectory. This may be necessary if the memory allowance for JCO is limited.
Embedded JRE: Path to embedded JRE (nested in Install directory in Config Tab (JCO_HOME)).
Use custom JRE: Checkbox whether or not to use custom JRE for JCo, if the checkbox is not checked, then embedded JRE is used.
Custom JRE: Path to custom JRE (can be nested in Install directory in Config Tab (JCO_HOME), or anywhere on the system).

The Java service is started with a system command. You can adjust the name of this command in the table Advanced tab. The default name of the command is ZDVD_START_JAVA. In the case the system command doesn't exist, it is created automatically. You can view the system commands through the transaction SM69. On Linux, another system command is required, which sets executable rights for the configuration files (chmod 755 <filename>). Its name can be adjusted in the Advanced tab.

The following authorizations are required for the automatic start of the Java process:

S_RFC_ADM (Administration for RFC Destination): ACTVT = 03, RFCTYPE = * , RFCDEST = <JAVA_RFC>, ICF_VALUE = *
S_DATASET (Authorization for file access): PROGRAM =/DVD/*, ACTVT = *, FILENAME = *
S_LOG_COM (Authorization to Execute Logical Operating System Commands): COMMAND = ZDVD*, OPSYSTEM = * , HOST = *

Management of JCO config versions (upload/download) also requires S_GUI (Authorization for GUI activities) with ACTVT = 61,60

Using custom Java Runtime

As of version Reuse Library 22.08, the SNP Java connector comes with regularly updated embedded Java runtime (Adoptium 11) for Linux 86_x64 and Windows x64 and no manual setup is required in this regard.

If you have another operating system (Solaris, AIX, etc.), or you cannot use embedded JRE for any reason, you will need to deploy your Java runtime and libsapjco3 libraries manually.

Java runtime environment (JRE)

Recommended JRE is OpenJDK 11, but generally, the recent releases of Java 8 are usable. OpenJDK can be downloaded from the Adoptium download site for most architectures.

Not to interfere with possible Java installation already present on the SAP application server, the archive can be simply unpacked into any directory accessible to <sid>adm, e.g. /sapmnt/<SID>/global/JRE_11/.

The option to choose between embedded JRE and custom JRE can be found in the Advanced Tab of /DVD/JCO_MNG transaction:

Parameters:

Embedded JRE: Path to embedded JRE Java binary. It is by default nested in the Install directory defined in the Config Tab (JCO_HOME).
Use custom JRE: Checkbox whether or not to use custom JRE. In the default configuration, the checkbox is unchecked, so embedded JRE will be deployed and there is no need to specify Custom JRE.
Custom JRE: Path to custom JRE Java binary. This option is usually needed on non-standard operating systems (see information below).

SAP Java Connector Library

Java Connector uses a shared library published by SAP named libsapjco3.so (or sapjco3.dll on Windows OS).
Starting with SNP JCo version 229, the library is included in SNP transports for Linux 86_x64 and Windows x64.
If the system hosting JCo is running on an OS other than Linux 86_x64 and Windows x64, it is necessary to manually download and replace the library after the first attempt to start the JCo.
The first start attempt will fail due to incompatibility, but it will deploy all other libraries and configuration files needed for the JCo run. The location of the libraries is /<installation_directory_path>/lib/.

SAP Java connector library can be downloaded at https://support.sap.com/en/product/connectors/jco.html.

Once uploaded to the JCo host, after the first startup attempt (see below), simply replace the library and change the ownership to <sid>adm:sapsys, for example:

cp libsapjco3.so /usr/sap/NSD/DVEBMGS01/work/dvd_conn/jco233/lib/
chown nsdadm:sapsys /usr/sap/NSD/DVEBMGS01/work/dvd_conn/jco233/lib/libsapjco3.so

Central Java instance

It is possible to have a single Java connector running, instead of running one on every application server. To set such a scenario, follow these steps:

If the Java connector is already running on several application servers, stop all instances.
Open the Java RFC destination and fill in the Gateway options valid for the desired instance.
When you restart the transaction /DVD/JCO_MNG, only buttons belonging to the desired application server should be functional and all the other app. servers should be using this connection.
Start the connector and all rows in the Connection column should be green.

Make sure that RFC checks in SM59 work from all application servers. In some SAP NW versions, you must explicitly allow the program ID ACCESS in the reginfo file.

Example:
P TP=DATAVARD_JAVA_CONN ACCESS=internal (or explicitly listing the hosts).

Setting up the connection via the proxy server

Sometimes communication with a service outside the corporate network needs to be routed through a proxy server to comply with company security standards.

To achieve this, you need to add the following Java parameters to the Additional Java starting arguments field in the Advanced tab of /DVD/JCO_MNG.

-Dhttps.useProxy=true
-Dhttps.proxyHost=<proxy_host>
-Dhttps.proxyPort=<proxy_port>

Custom destination for JCO lock file

The lock file is used to prevent the accidental start of multiple JCO instances. By default, the lock file is created in the Installation directory.
If needed, the directory can be changed, using the parameter -DremoteLockFileDir=<ChosenDirectory>.

SNC configuration

If the SAP system is hardened by enabled Secured Network Communication (system parameter snc/enable = 1), there are additional configuration steps.

The first step is the creation of a Personal Security Environment (PSE) for JCo. This is to be done under <sid>adm user. PSE should be stored together with other SAP PSE files, by default on path /usr/sap/<SID>/<SAP_instance>/sec, referenced by the environment variable $SECUDIR. Commands to create the PSE, with an example of system ID NSZ with csh as nszadm’s shell:
su - nszadm
setenv SECUDIR /usr/sap/NSZ/D00/sec
cd $SECUDIR
sapgenpse gen_pse -v -p DVDJCO.pse

A passphrase can optionally protect PSE. The mandatory input parameter is the Distinguished name of the PSE owner, in our example, it’s CN=JCO_RFC, OU=DVD, C=DE

nsz:nszadm 98> sapgenpse gen_pse -v -p DVDJCO.pse
Got absolute PSE path "/usr/sap/NSZ/D00/sec/DVDJCO.pse".
Please enter PSE PIN/Passphrase:
Please reenter PSE PIN/Passphrase:
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

get_pse: Distinguished name of PSE owner: CN=JCO_RFC, OU=DVD, C=DE
 Supplied distinguished name: "CN=JCO_RFC, OU=DVD, C=DE"
 Creating PSE with format v2 (default)
 succeeded.
 certificate creation... ok
 PSE update... ok
 PKRoot... ok
Generating certificate request... ok.
Certificate Request:
 Signed Part:
  Subject:                             CN=JCO_RFC, OU=DVD, C=DE
  Key:                                 rsaEncryption (2048 bits)
  Attributes:                          None
 Signature:
  Signature algorithm:                 sha256WithRsaEncryption (1.2.840.113549.1.1.11)
  Signature:                           <Not displayed>

PKCS#10 certificate request for "/usr/sap/NSZ/D00/sec/DVDJCO.pse":

-----BEGIN CERTIFICATE REQUEST-----
MIICcjCCAVoCAQAwLTELMAkGA1UEBhMCREUxDDAKBgNVBAsTA0RWRDEQMA4GA1UE
################################################################
################################################################
################################################################
PxmDNQSCYvLxURXcP+vQxDSOq5QYgQf4g4egjVXRcyQwOJNZRpHlP1olXc4Aa675
-----END CERTIFICATE REQUEST-----
nsz:nszadm 99>

The second step is to export the certificate with the public key from the newly created PSE, using the command:
sapgenpse export_own_cert -v -p DVDJCO.pse -o DVDJCO.crt
This produces a DVDJCO.crt file.

nsz:nszadm 99> sapgenpse export_own_cert -v -p DVDJCO.pse -o DVDJCO.crt

 Opening PSE "/usr/sap/NSZ/D00/sec/DVDJCO.pse"...
 No SSO credentials found for this PSE.
 PSE (v2) open ok.
 Retrieving my certificate... ok.
 Writing to file (PEM-framed base64-encoded)... ok.

nsz:nszadm 100>

Now import the DVD JCo certificate file into the SAP system’s Trust manager.
Run transaction STRUST > switch to Edit mode > double-click SNC PSE node > in the lower part of the screen click on the Import certificate icon, locate the certificate file, confirm file selection > click Add to Certificate List > Save (Ctrl+S)
NOTE: You may need to download the certificate file to your front end to be able to select it.
We have imported the JCo certificate to SAP. To create two-way trust between SAP and JCo, we now need to import the SAP system’s certificate to JCo PSE.
Export SAP’s certificate, similarly as in step 3. Run STRUST and select the SNC PSE node, but double-click on Own certificate, and at the bottom of the screen click the icon Export certificate. Choose Base64 format, path, and filename to save the .crt file. Upload the file to the application server, ideally to $SECUDIR.

To import the SAP certificate to JCo PSE, run the command:
sapgenpse maintain_pk -v -a SAP.crt -p DVDJCO.pse

nsz:nszadm 104> sapgenpse maintain_pk -v -a NSZ.crt -p DVDJCO.pse

 Opening PSE "/usr/sap/NSZ/D00/sec/DVDJCO.pse"...
 No SSO credentials found for this PSE.
 PSE (v2) open ok.
 retrieving PKList
 Adding new certificate from file "NSZ.crt"
----------
Subject               :   CN=NSZ, OU=DVD, C=DE
Issuer                :   CN=NSZ, OU=DVD, C=DE
Serialno              :   0A:20:21:01:24:10:44:01
KeyInfo               :   RSA, 2048-bit
Validity  -  NotBefore:   Sun Jan 24 11:44:01 2021 (210124104401Z)
              NotAfter:   Fri Jan  1 01:00:01 2038 (380101000001Z)
KeyUsage              :   none
ExtKeyUsage           :   none
SubjectAltName        :   none
----------------------------------------------------------------------------

 PKList updated (1 entries total, 1 newly added)

nsz:nszadm 105>

To allow JCo to run under <sid>adm user using the credentials stored in the PSE, SSO credentials must be created in the cred_v2 file.
It is advised to back up the cred_v2 file before proceeding.
The file should already exist in SECUDIR and will be updated using the command:
sapgenpse seclogin -p DVDJCO.pse -O nszadm
```
nsz:nszadm 105> cp -p cred_v2 cred_v2.bkp
nsz:nszadm 106> sapgenpse seclogin -p DVDJCO.pse -O nszadm

 running seclogin with USER="nszadm"
 creating credentials for yourself (USER="nszadm")...
 Added SSO-credentials for PSE "/usr/sap/NSZ/D00/sec/DVDJCO.pse"

nsz:nszadm 107>
```
NOTE: If JCO is deployed in a Windows environment, allow access to the PSE file also for user SAPService<SID>.
example: sapgenpse seclogin -p DVDJCO.pse -O SAPServiceNSZ

Available SSO credentials can always be checked using the command:
sapgenpse seclogin -l
Now that the security environment is prepared, configure JCo SNC in transaction /DVD/JCO_MNG in the Config Tab:
- SNC enabled: Once activated, user and password fields will be greyed out and have no effect on JCo configuration.
- SNC QoP Level: SNC Quality of Protection, needs to be the same level as set in system parameter snc/data_protection/use (default = 3).
- JCo SNC name: Distinguished name chosen during the creation of JCo PSE (step 1).
- SNC-enabled GW port: SAP gateway port used for secure communication. The port number is 48$$, $$ being the instance number of a particular application server.
- SNC partner name: Distinguished name of SAP system, pre-filled from SAP profile parameter snc/identity/as.
  
  Save the configuration when completed, but do not start the JCo yet.
There are two more configuration pieces to complete before JCo can properly start and register on the SAP gateway.
In SU01, activate SNC for RFC user dedicated to JCo communication, filling SNC name dedicated to JCo.
Despite the user no longer being configured in /DVD/JCO_MNG, it is used by matching the SNC name entered here and the Distinguished name configured in JCo PSE.

Secondly, via SM59 activate SNC in the RFC destination dedicated to communication between SAP and JCo and fill in the JCo Distinguished name again in the Logon & Security tab (SNC options button):

Having all SNC prerequisites met, Java Connector can be started.

Sample JCo configuration files with SNC enabled

If the JCo is deployed in a Windows environment, the path to the cryptographic library may contain \usr or a similar path segment with \u character.
That may result in an error during JCo startup:
Exception in thread "main" java.lang.IllegalArgumentException: Malformed \uxxxx encoding.

To circumvent this, every \u character in the configuration files needs to be preceded by an additional backslash → \\u .
To prevent automatic overwrite of manually modified configuration files during JCO start, the option Avoid JCO config files creation of /DVD/JCO_MNG needs to be selected:

nsz:/usr/sap/NSZ/D00/work/dvd_conn/jco217 # cat config.jcoServer
version=217
jco.server.gwhost=127.0.0.1
jco.server.gwserv=4800
jco.server.connection_count=10
jco.server.progid=DATAVARD_JAVA_CONN
jco.server.repository_destination=ABAP_AS_WITH_POOL
jco.server.worker_thread_min_count=5
jco.server.worker_thread_count=20
jco.server.snc_mode=1
jco.server.snc_qop=3
jco.server.snc_myname=p:CN=JCO_RFC, OU=DVD, C=DE
jco.server.snc_lib=/sapmnt/NSZ/exe/uc/linuxx86_64/libsapcrypto.so

nsz:/usr/sap/NSZ/D00/work/dvd_conn/jco217 # cat config_as.jcoDestination
jco.client.client=001
jco.client.sysnr=00
jco.client.peak_limit=10
jco.client.ashost=127.0.0.1
jco.client.snc_mode=1
jco.client.snc_qop=3
jco.client.snc_myname=p:CN=JCO_RFC, OU=DVD, C=DE
jco.client.snc_partnername=p:CN=NSZ,OU=DVD,C=DE
jco.client.snc_lib=/sapmnt/NSZ/exe/uc/linuxx86_64/libsapcrypto.so

Upgrading Java connector

This is a list of steps to do when you update your SNP software and you would like to switch to a new version of the Java connector.

With SAP JCO version 3.1, additional authorization is required for JCO’s RFC user, which allows the execution of function modules in function group RFC_METADATA.
Please make sure the RFC user has all authorizations listed in the SAP RFC role and user section of this page.

Open transaction /DVD/JCO_MNG
Double-click the current working connector and click Stop all.
After the current version of the SNP Java connector is disconnected, click Copy config.
Double-click the new version of the connector, enter Edit mode, then click Paste config, then fill the RFC Usage field with the same RFC that was used with the old connector.
Switch to the Config tab and adjust the Install directory to match the current ID of SNP Java Connector and click on the Generate paths button.
Switch to the Libraries tab and make sure you are using the latest libraries for your connector.
Switch back to the General tab and click Restart for every Application server.
It is important to start each JCO instance being logged onto the respective application server (SM51) to make sure the directories, libraries, and configuration files are deployed locally.
This requirement is valid only for initial deployment, later operation (Stop/Start) is possible remotely, from any application server.

Restarting the connector can cause running Glue/Outboard jobs to fail. Therefore it is recommended to perform the upgrade during a quiet period and have Glue/Outboard jobs suspended.

Automatic Java connector startup after SAP system restart

For the automatic start of the Java connector after the SAP system restarts, schedule a periodic job with program /DVD/JCO_WATCH_DOG with start condition: “SAP_SYSTEM_START“.

Setting up the automatic start of Java Connector after SAP system restart is not mandatory. Java Connector will be started once it is needed.

Copying Java connector

Sometimes it may be needed to COPY the JCo instance and create a version from it. When JCo is copied, the separate JCO_HOME directory is used and above the new JCO_HOME, the JRE process is started. Therefore new JCo has its own space for configuration and logs.

Possible use cases for JCo COPY:

Vertical scaling: When needed more JCo instances (JRE processes and each can handle different tasks/storage).
Versioning: When needed version of JCo for a different purpose.
JCo testing: To make different instances for testing and concern separation.

With SAP JCo COPY functionality the new JCo copy/instance is created with an increased subversion number.

For example when copying from 233, then a JCo copy is created with ID: 233.1. If another copy is again created, then with ID: 233.2.

Open transaction /DVD/JCO_MNG.

2. Click on Copy JCO.

Copy config from Java RFC: Copies JCo configuration from given RFC.
Copy config from version ID: Copies JCo configuration from given JCo ID.
Use default values: Use defaults.
Java version: Read-only field as a newly created copy of JCo will be created from the given Java version.
Description: Description of a newly created copy of JCo.

3. Newly created copy of JCo.

By default, it has adjusted JCO_HOME (Install directory) and all relevant settings in the Advanced Tab to point to the new JCO_HOME (233.1)

4. Set RFC to the new JCo instance.

Go to the General tab and assign the RFC to the Java connector.

(SM-Latest) Java Connector Setup