(SM-2108) Java Connector Setup
Datavard Java connector is a component used for authentication and communication with remote services using JDBC drivers or Java SDKs. It runs as an independent OS process and can be configured and controlled through transaction /DVD/JCO_MNG
.
In this section:
/DVD/JCO_MNG
allows you to link the Datavard Java connector with the SAP RFC destination which will be used as a communication channel between SAP and JCo and maintain the settings. After all required fields are filled and saved, you can click the Restart button to start the Java service. When the Java process is running, you can control it across the application servers and display logs.
Setup
This component requires an initial setup to be fully functional.
Java runtime environment
An up-to-date Java runtime must be available to the SAP's <sid>adm user. Datavard Java connector is tested and built using OpenJDK 11.
The latest OpenJDK JRE can be downloaded from https://jdk.java.net/15/.
Not to interfere with possible Java installation already present on the SAP application server, the archive can be unpacked into a non-default directory, e.g. /sapmnt/<SID>/global/
.
In the case of AIX systems, OpenJDK is not available, but standard IBM Java should be usable. Download and installation link:
https://www.ibm.com/support/pages/ibm-java-aix-howto-install-or-upgrade-ibm-java-specific-release-eg-service-refresh-or-fix-pack.
SAP Java Connector library
SAP Java Connector 3.0 library libsapjco3.so, which can be downloaded from the SAP marketplace, needs to be uploaded to the SAP application server. It should be located in the directory referenced by the LD_LIBRARY_PATH
environment variable of <sid>adm user.
It is recommended to append a shared Datavard directory /sapmnt/<SID>/global/security/dvd_conn
to LD_LIBRARY_PATH
variable defined by SAP instance profile and place libsapjco3.so to this directory.
Otherwise, it can be copied directly into the SAP kernel directory, which is by default included in LD_LIBRARY_PATH
.
NOTE: If you copy the library into the SAP kernel directory, you must ensure the library will be preserved during each SAP kernel upgrade.
$ echo $LD_LIBRARY_PATH
/usr/sap/DVQ/SYS/exe/run:/usr/sap/DVQ/SYS/exe/uc/linuxx86_64:/usr/sap/DVQ/hdbclient:/sapmnt/DVQ/global/security/dvd_conn
/sapmnt/DVQ/global/security/dvd_conn/ # ls -l libsapjco3.so
-rwxr-x--- 1 dvqadm sapsys 59 Apr 5 15:12 libsapjco3.so |
SAP RFC role and user
Datavard Java connector uses a dedicated user in the SAP system for communication. This user should be created with the type 'Communications Data' and with authorizations limiting his privileges to basic RFC communication.
The required authorization object is S_RFC with these settings:
ACTVT = 16
RFC_NAME = SYST, RFC1, SDIFRUNTIME
RFC_TYPE = FUGR
Example of custom SAP role in PFCG transaction (Display Authorization Data):
Java RFC
Java RFC by name refers to the Datavard Java service which is used for authentication and communication with other services.
Entries explained:
Connection Type – T for TCP/IP Connection
Activation Type – select Registered Server Program
Program ID – DATAVARD_JAVA_CONN
SAP gateway access
External communication with the SAP system goes through the SAP gateway. If SAP system parameter gw/acl_mode is enabled, there are two files (secinfo and reginfo) that limit the access.
In this case, a program needs to have granted access either by wildcard definition or explicitly defining the program registration name:
DATAVARD_JAVA_CONN
More information on the SAP gateway ACL topic can be found on the SAP website Gateway Security Files secinfo and reginfo.
/DVD/JCO_MNG initial setup
Select the latest JCo version by double-clicking the row on the left side of the screen
Switch to Edit mode
Click “Fill default values”
Adjust values you want to change
Config
Client - the client of SAP technical user used to register on SAP gateway
RFC User - username of SAP technical user used to register on SAP gateway
Password - hashed password of SAP technical user used to register on SAP gateway. The hash can be created by typing the password in the field below and clicking the 'Hash' button
Install directory - directory on the application server where the application and log files will be generated - can be a physical path or a logical path enclosed in <>, default path </DVD/DEF_JCO_DIR> can be used. After changing this value, you have to click the 'Generate paths' button, which will propagate the new path structure to the rest of the configuration (as can be seen in the Advanced tab)
Java exe - the path to Java executable on the SAP application server
Java vendor - Name of Java vendor, ORACLE or IBM (for SAP JVM, or OpenJDK, fill ORACLE)
Dependencies
select a library that you want to use with JCO. The base library must always be selected. In case the connection to AWS or GCP is required, a library supporting such a platform needs to be selected.
In case the needed library is missing, please contact the Datavard representative for further instructions on how to load the library to the system.
Advanced
In most scenarios, these settings don’t need to be changed.thatOS Command for starting java service - name of an OS command for starting Java service (SM69)
OS Command for setting access permissions - name of an OS command for setting execution rights (SM69)
Max RAM used - maximum amount of RAM used by Java service (heap size)
Additional java starting arguments - additional arguments used to start Java service
Repository destination - client destination from which repository should be obtained
Work thread MIN - number of threads Java service always runs with
Work thread MAX - maximum number of threads that can be used by Java service
Connection count - number of connections registered at SAP gateway
Peak limit - limit of JCo connections at peak
Log4j log level - level of messages collected in logs
Log4j log deletion - how long the logs should be archived
JAR path - the path where the JAR file will be created
Server config path - the path where the server config will be created
Destination config path - the path where the destination config will be created
Log files path - a directory where the log files will be saved
Log4j config path - the path where the log4j config file will be created
Go to the 'General' tab and assign an RFC to the Java connector
RFC Usage - Defines an RFC that points to this Java application.
Save the settings
Start the Java service by clicking the 'Restart' button
The Java service is started with a system command. You can adjust the name of this command in the table Advanced tab. The default name of the command is ZDVD_START_JAVA. In the case the system command doesn't exist, it is created automatically. You can view the system commands through the transaction SM69. On Linux, another system command is required, which sets executable rights for the configuration files (chmod 755 <filename>). Its name can be adjusted in the Advanced tab.
The following authorizations are required for the automatic start of the Java process:
S_RFC_ADM (Administration for RFC Destination): ACTVT = 03, RFCTYPE = * , RFCDEST = <JAVA_RFC>, ICF_VALUE = *
S_DATASET (Authorization for file access): PROGRAM =/DVD/*, ACTVT = *, FILENAME = *
S_LOG_COM (Authorization to Execute Logical Operating System Commands): COMMAND = ZDVD*, OPSYSTEM = * , HOST = *
Management of JCO config versions (upload/download) also requires S_GUI (Authorization for GUI activities) with ACTVT = 61,60
Central Java instance
It is possible to have a single Java connector running, instead of running one on every application server. To set such a scenario, follow these steps:
If the Java connector is already running on several application servers, stop all instances.
Open the Java RFC destination and fill the Gateway options valid for the desired instance
When you restart transaction
/DVD/JCO_MNG
, only buttons belonging to the desired application server should be functional and all the other app. servers should be using this connection. Start the connector and all rows in theConnection
column should be green.
Setting up a proxy server
Sometimes communication with a service outside the corporate network needs to be routed through a proxy server to comply with company security standards.
To achieve this, you need to add the following java parameters to the Additional java starting arguments
field in Advanced
tab of /DVD/JCO_MNG
.
-Dhttp.useProxy=true
-Dhttps.proxyHost=<proxy_host>
-Dhttp.proxyHost=<proxy_host>
-Dhttps.proxyPort=<proxy_port>
-Dhttp.proxyPort=<proxy_port>
SNC configuration
If the SAP system is hardened by enabled Secured Network Communication (system parameter snc/enable = 1), there are additional configuration steps.
The first step is the creation of a Personal Security Environment (PSE) for Datavard JCo. This is to be done under <sid>adm user. PSE should be stored together with other SAP PSE files, by default on path /usr/sap/<SID>/<SAP_instance>/sec, referenced by environment variable $SECUDIR. Commands to create the PSE, with an example of system ID NSZ with csh as nszadm’s shell:
su - nszadm
setenv SECUDIR /usr/sap/NSZ/D00/sec
cd $SECUDIR
sapgenpse gen_pse -v -p DVDJCO.pse
PSE can be optionally protected by a passphrase. The mandatory input parameter is the Distinguished name of the PSE owner, in our example, it’sCN=JCO_RFC, OU=DVD, C=DE
nsz:nszadm 98> sapgenpse gen_pse -v -p DVDJCO.pse Got absolute PSE path "/usr/sap/NSZ/D00/sec/DVDJCO.pse". Please enter PSE PIN/Passphrase: Please reenter PSE PIN/Passphrase: !!! WARNING: For security reasons it is recommended to use a PIN/passphrase !!! WARNING: which is at least 8 characters long and contains characters in !!! WARNING: upper and lower case, numbers and non-alphanumeric symbols. get_pse: Distinguished name of PSE owner: CN=JCO_RFC, OU=DVD, C=DE Supplied distinguished name: "CN=JCO_RFC, OU=DVD, C=DE" Creating PSE with format v2 (default) succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok. Certificate Request: Signed Part: Subject: CN=JCO_RFC, OU=DVD, C=DE Key: rsaEncryption (2048 bits) Attributes: None Signature: Signature algorithm: sha256WithRsaEncryption (1.2.840.113549.1.1.11) Signature: <Not displayed> PKCS#10 certificate request for "/usr/sap/NSZ/D00/sec/DVDJCO.pse": -----BEGIN CERTIFICATE REQUEST----- MIICcjCCAVoCAQAwLTELMAkGA1UEBhMCREUxDDAKBgNVBAsTA0RWRDEQMA4GA1UE ################################################################ ################################################################ ################################################################ PxmDNQSCYvLxURXcP+vQxDSOq5QYgQf4g4egjVXRcyQwOJNZRpHlP1olXc4Aa675 -----END CERTIFICATE REQUEST----- nsz:nszadm 99>
The second step is to export the certificate with the public key from the newly created PSE, using the command:
sapgenpse export_own_cert -v -p DVDJCO.pse -o DVDJCO.crt
This produces a DVDJCO.crt file.Now import DVD JCo certificate file into SAP system’s Trust manager.
Run transaction STRUST → switch to Edit mode → double-click SNC PSE node → in the lower part of the screen click on Import certificate icon, locate the certificate file, confirm file selection → click Add to Certificate List → Save (Ctrl+S)
NOTE: You may need to download the certificate file to your frontend to be able to select it.We have imported the JCo certificate to SAP. To create two-way trust between SAP and JCo, now we need to import the SAP system’s certificate to JCo PSE.
Export SAP’s own certificate, similarly as in step 3. run STRUST select SNC PSE node, but double-click on Own certificate and in the bottom of the screen click icon Export certificate. Choose Base64 format, path, and filename to save the .crt file. Upload the file to the application server, ideally to $SECUDIR.To import SAP certificate to JCo PSE, run command:
sapgenpse maintain_pk -v -a SAP.crt -p DVDJCO.pse
To allow JCo running under <sid>adm user using the credentials stored in the PSE, SSO credentials need to be created in the cred_v2 file.
It is advised to back up the cred_v2 file before proceeding.
The file should already exist in SECUDIR and will be updated using the command:sapgenpse seclogin -p DVDJCO.pse -O nszadm
Available SSO credentials can always be checked using the command:sapgenpse seclogin -l
Now that the security environment is prepared, configure JCo SNC in transaction /DVD/JCO_MNG as follows:
SNC enabled - once activated, user and password fields will be greyed out and have no effect on JCo configuration
SNC QoP Level - SNC Quality of Protection, needs to be the same level as set in system parameter snc/data_protection/use (default = 3)
JCo SNC name - Distinguished name chosen during the creation of JCo PSE (step 1.)
SNC enabled GW port - SAP gateway port used for secure communication. Default port number is 48$$, $$ being instance number
SNC partner name - Distinguished name of SAP system, pre-filled from SAP profile parameter snc/identity/as
Save the configuration when completed, but do not start the JCo yet.
There are two more configuration pieces to complete before JCo can properly start up and register on the SAP gateway.
In SU01, activate SNC for RFC user dedicated for JCo communication, filling SNC name dedicated to JCo.
Despite the user no longer being configured in /DVD/JCO_MNG, it is used by matching the SNC name entered here and the Distinguished name configured in JCo PSE.
Secondly, via SM59 activate SNC in RFC destination dedicated to communication between SAP and JCo and fill JCo distinguished name again in Logon & Security tab (SNC options button):
Having all SNC prerequisites met, Datavard Java Connector can be started.
Sample JCo configuration files with SNC enabled
Upgrading Java connector
This is a list of steps to do when you update your Datavard software and you would like to switch to a new version of the Java connector.
Open transaction
/DVD/JCO_MNG
Double-click the current working connector and click
Copy config
Double-click the latest connector, enter
Edit mode
, then clickPaste config
, then fill theRFC Usage
field with the same RFC that was used with the old connectorSwitch to the
Dependencies
tab and make sure you are using the latest libraries for your connectorSwitch back to the
General
tab and clickRestart
for every Application server
Restarting the connector can cause running Glue/Outboard jobs to fail. Either do the Restart the connector in quiet hours or make sure you re-run the failed jobs.